Well, if I wanted to get into your account, apparently I just call the bank and then call you. Any time they ask me something I ask you the same thing and pass it along to them, and you'll faithfully tell me. They trigger the codegen and ask me to read it back and I ask you and you happily tell me. Then I "confirm your account is safe" to you, and continue my call with the bank except now I've authenticated as you.