Deutsche Bank does this for online transactions. All your purchases and, if I remember correctly, bank to bank transfers require you to refer to a sheet of TAN numbers that is mailed to you when you open an account. It was surprisingly annoying at first but I got used to it.
These lists of TAN [1] numbers are phased out everywhere around me. They usually were hard to carry with you (just as a token, but more easy to destroy), had usability problems:
- Ordered lists: You could only use a number that followed the last used one. So if you had 10 numbers and used the 9th by accident, all previous were void. Forgetting to cross out the used numbers lead to annoyance and the 'dammit, guess I used that number already' factor decreased security (someone could've used the next TAN on your list and you'd ignore the error and think it was your fault)
- A list with columns/rows: The server would know about your 'state' and ask you for a TAN in a specific location. Think of copy protection around the time of Monkey Island.. Progress in a couple of ways, but finicky.
- You had to manage the list to make sure that you don't run out of numbers (the second 'solution' above could help a little, but if you planned to do 10 transaction a day and had only 9 digits left: Bad luck).
Right now, as others said already, you're using your direct debit card with a chip inside combined with a tiny TAN generator that looks like one of these crappy currency calculators. You enter your transaction (you already logged in before, with or without a TAN), the server tells you to enter a checksum (parts of it are clearly identifiable as information that you just entered) into your device w/ the direct debit card inserted to receive a one-time only TAN. Done.
A mobile option is usually present (my bank asks me everytime I log in if I want to use TANs generated by that gadget or being sent to my mobile number), but I actually prefer the other option.
