Before my bank supported smartphones, they used a smartcard reader that you'd put your debit card into (a vasco digipass). The earlier model required you to type in a numerical challenge, a later model used a digipass that can scan a QR like code (that uses colors for higher data density).
Another bank's employees used a physical RSA securid TOTP token (which was a bad idea since RSA hung onto the seeds and got hacked).
(TOTP can also be added to feature phones, it's fairly straightforward. There's open source java ME projects.)
Corporate clients with their competitor had been using MSDOS based banking software that came with a hardware token that ingested a challenge as flashes of light from the screen, which was pretty neat! It didn't read a debit card, the seed was just baked in.
Before banks started shipping physical tokens or card readers, they would send you a list of one time codes to approve transactions.
Note that Google also has the option to generate such codes (although you get 6, not 50 at a time), so you can get into your account even if your phone is stolen.
All of those worked in the age before smartphones.
Now, there's also passkey/U2F/FIDO2 based hardware keys you can provision yourself and buy from several vendors, like Yubikey or Token2.
There's plenty of reasons to be salty about the smartphone duopoly and surveillance economy, but for 2FA there's plenty of alternatives. And if you do use a smartphone, you could always use an open source authenticator app.
Ha, in Swiss biggest bank by nr of clients (PostFinance), I log into ebanking with card reader (their yellow calculator-like thingie). Reader reads the payment card, asks for key from ebanking (after entering username & password), after entering it asks for card's pin, gives back resulting code which goes to ebanking.
If I count correctly its checking 1) username/password; 2) currently holding my payment card; 3) card's pin
Even if I don't count owning reader itself as another point of security (since it can be obtained ie via social engineering and its a simple generic device) its at least 3-factor auth and its still the most secured ebanking from all banks I have. Annoying a bit to log into but this is one place I don't mind it at all. And no phone involved in any step, for which I am very glad (not having yet another thing to manage, keep updated, worry and chase cancellation when lost/stolen).
Another bank's employees used a physical RSA securid TOTP token (which was a bad idea since RSA hung onto the seeds and got hacked).
(TOTP can also be added to feature phones, it's fairly straightforward. There's open source java ME projects.)
Corporate clients with their competitor had been using MSDOS based banking software that came with a hardware token that ingested a challenge as flashes of light from the screen, which was pretty neat! It didn't read a debit card, the seed was just baked in.
Before banks started shipping physical tokens or card readers, they would send you a list of one time codes to approve transactions.
Note that Google also has the option to generate such codes (although you get 6, not 50 at a time), so you can get into your account even if your phone is stolen.
All of those worked in the age before smartphones.
Now, there's also passkey/U2F/FIDO2 based hardware keys you can provision yourself and buy from several vendors, like Yubikey or Token2.
There's plenty of reasons to be salty about the smartphone duopoly and surveillance economy, but for 2FA there's plenty of alternatives. And if you do use a smartphone, you could always use an open source authenticator app.