My biggest question (the PSD2 link in the article is broken) would be why offline 2 factor authentication devices (which many banks have already distributed for their customer-initiated online payments) would not also work for online payments. Even if there were some ambiguous unease about just outright using OAuth-type scannable QR codes and a software token generator, hardware generators (e.g. RSA tokens) are pretty standard fare.