Most internet banking apps, send you an SMS or allow you to enter a password to access full banking features. Someone who has access to your phone, already has access to your SMS and password generator app.<p>Historically, your phone was a 2nd factor, but not anymore. Why do app developers ignore this basic thing?
I feel like you're glossing over several factors. In your scenario:<p>1: Person must have physical access and control of your phone.<p>2: Person must have Phone pin-code or password, in order to unlock phone and access either SMS, banking app, or password app. Or somehow brute force password or decrypt phone contents.<p>3: Person must have either password for banking app or password to Password App to gain banking password.<p>If you're not using passwords (and different ones at that) for your phone, password manager, and banking apps, then <i>that's</i> the whole in your security, not from using SMS as a second factor.<p>There are issues with using SMS in 2FA, but it's not the issues that you've brought up.