sms/email 2FA codes are already old fashioned and (relatively) easy for someone to intercept.

A 2FA code generated on a mobile app offline (I use "authy" but they're all pretty much the same) is the way to go at the moment. Or, like some banks, using biometrics (e.g. FaceID) on BA's mobile app to authenticate both within the app and externally.

Not that it matters; it'll just take us longer to get to a website which doesn't work.