I always use alternative answers to such questions (first pet etc.), not real answers. You just need to remember what response you use to which question.
I use a Yubikey for everything that will use it. I do not put a mobile phone number in any service, if I can avoid it.
My personal bank uses a smart card reader with optical sensor. I have to plug in my card and hold the device to the screen and the screen shows a “moving” barcode - i.e. a set sequence of stripes that correspond to the account number being transferred to, the amount etc. and the device, combined with a secret set up when the device was initialised, and the card produce a one-time code. The code authorises the payment, but the code is locked to the account number it read from the screen and the amount it read from the screen - and those two pieces of information are shown on the screen of the device for confirmation, before the code is displayed.
If somebody tried to hijack the session in the browser, the account number would be different to the one I entered, or the amount would be different and I wouldn’t enter the authorisation code. If they took the code I entered and tried to use it for a different account or amount, it would fail.
My other bank uses “PhotoTAN”, it displays a multi-coloured QR-Code of the transaction information and the app on the smartphone (you can also buy a separate device to do the same thing) has been initialised by the bank with a secret, by reading an initial coloured QR-Code, which is sent by mail. It then combines the secret with the transaction infromation on the screen to generate a one time token to sign the transaction.
These methods have to also be used every time you log onto a new device or after a set period of time on that device (so you can go a month or so without reverifying on the device every time you log on, but at some point, you will need to reverify).