HSBC always used a token for online banking you can either order a secure Key or for the past year or so use a mobile authenticator.
The "password/memorable phrase" is only used as a secondary authentication measure and in order to initiate a token recovery procedure on the site.
P.S.
I still use the physical OTP token, just got a new one last month it's a Vasco Digitpass 270 supports upto 8 digit pins and it locks out automatically after IIRC 5 attempts.
I don't recommend using a phone authenticator for the sole reason that losing a phone is annoying enough on it's own you don't want to lose your bank account access too :)
The "password/memorable phrase" is only used as a secondary authentication measure and in order to initiate a token recovery procedure on the site.
P.S. I still use the physical OTP token, just got a new one last month it's a Vasco Digitpass 270 supports upto 8 digit pins and it locks out automatically after IIRC 5 attempts.
I don't recommend using a phone authenticator for the sole reason that losing a phone is annoying enough on it's own you don't want to lose your bank account access too :)