Edit: This is a bit of a train–of–thought post. Jump to the last paragraph if you want.
I’ve never really been bothered by the card reader, especially as I have a couple at home, one at work, and my folks have one too for when I stay there. It’s got to be better than authentication via SMS which I hear is easily spoofed.
I guess they could build it into their app, so there’s less kit to have to cart around. Barclays do this, and First Direct.
In fact, they could just set it up to use Google Authenticator or something (I guess, I’m not a techie.) If that’s good enough to stop people getting into my email/website, it’s good enough for my banking, surely?
Having said all that, Monzo covered the something you have, something you know method in just the app, so Nationwide should just allow payees to be set up within their app without the need for extra hardware.