Eh, of course no clear text codes are used, the 2FA has its own app with a pin code and challenge/response is encrypted. Again obviously. Man your banks security sucks bad.
I have multiple banks and credit cards and AFAIK, all use sms and/or email, but what you're describing is better, but IME it's not the norm.