I hate the banking making very complicated login procedure with proprietary 2FA that can be bypassed somehow if you use their banking app on your registrered phone and fingerpint login. The more complexe and confusing it is, the more people choose bad password and try to avoid entering anything at all if they got the option to do it.

They could use standard Webauth and passkey, which are way easier to use and probably safer, which people could use with many accounts and get used to it long term so they would not try to shortcut it or get tricked into unlocking their account to a scammer because they have no clue what's going on. 

 BE-Pass is their 2FA application. It's not bad as it shows you some details but in the case of the password it does not show you the new password, so if you get two requests in the BE-Pass app, they look equal and you don't know which new password you are confirming - the attacker's or yours.

Google Authenticator would require me to enter the code into the website where I requested the password update while the hacker would need me to give him the code. I think it's more transparent that giving that code over phone is a blind signature than when they trick me into clicking a mere button in the 2fa app.