Re: @Sane ...
That'd help, certainly. But the problem comes when someone loses the code. There has to be a recovery system; "sorry sir, you shouldn't have dropped your phone in the pool, now you can't ever get a loan again" isn't going to cut it. So how will they identify you to recover the lost code? Probably with the same information an attacker would have gotten from a data breach.
The fundamental problem is that financial companies generally don't know who their customers are anymore, and there's no good way for them to verify it. I'm not sure how you fix that. The current schemes (SSN and mother's maiden name) are laughable, but it's not immediately obvious to me how to do better.
