Many German banks send out "TAN lists" to their customers - these are essentially numbered lists of six-digit numbers, usually 100 or so "TAN numbers" on each list.
When you log in to the bank's website (using a normal username/password combination) and request to make a transaction, the site asks you for one specific number from your list - e.g. "TAN number 64". You look down your list, find the appropriate six digit number, enter it, the bank checks it against what's been issued to you, and the transaction is authorized. You cross that TAN off your list because it's been "used up" and will never be requested again.
Yes, I realise this is a rather low-tech approach, but somehow it really appeals to me. I know a burglar could steal the list, but somehow burglars aren't really my biggest worry as far as on-line banking is concerned :-)
Why don't more banks use this approach, I wonder?