TAN, OTP and other forms of Strong Customer Authentication can be challenging. If you look at the PSD2 recommendations (Google PSD2+RTS), SCA requires two of three elements listed below.
Where payment service providers apply strong customer authentication in
accordance with Article 97(1) of Directive (EU) 2015/2366, the authentication based
on two or more elements categorized as knowledge, possession and inherence shall
result in the generation of an authentication code.
Visa have an older system of OTP called CAP which generates OTP codes from a Visa chip - but you need additional hardware for this. https://en.wikipedia.org/wiki/Chip_Authentication_Program. CAP proves you have the card (so SCA „possession“), and uses the offline PIN (@Vinz ) to provide the SCA „knowledge“. The CAP OTP is single use.
Doing CAP over NFC (please excuse the alphabet soup) with the Banking App might not be so easy - and once inside the App, you can change the card PIN all you want. I know SMS can be weak, yet it is still better than paper OTP code lists, and requires no additional hardware.
While the Tomorrow community is all young and hip, and tech savvy, OTP (and SCA) solutions do need to be functional for all customers of any ability, and work reliably all the time.
A whole other discussion is inherence, and how that could work - biometrics being one area that could make NFC OTP a thing. (https://www.thalesgroup.com/en/markets/digital-identity-and-security/banking-payment/cards/emv-biometric-card).
Biometrics, face ID, patterns and fingerprints on the various phones are going to require effort to make them reliable and have low levels of false positives.
Some thoughts and direction from the Tomorrow developers as to what they are planning in the biometrics space would be interesting.
I return you to your regular programming…