My primary bank has recently instituted a requirement for repeat-factor identification during online transactions (not multifactor; it’s just double entry of the same single factor). It’s an annoying interruption to the process, albeit a fairly small one. There is a cost of convenience for any amount of security.
I’ve said it before, though: this is not to protect me and my money: this is to protect the bank and the bank’s money. I am protected (because I live in the US, which is also where my bank is) by federal, which limits my damages from fraudulent charges. The bank, however, is on the hook to pay for anyone using my account in an unauthorized way. So the bank wants to protect itself.
By complicating my transaction.