In Poland it's SMS OTPs, bank app (heavily recommended and in some cases enforced by the bank) or additionally paid physical TOTP token devices. And almost all banks throw a hissy fit once you have some sort of vector of root detection left open.