Better n'th character and m'th character handling. It's bad having to show pwd in big text.

"About Yubikey: this is an additional thing to implement server side and to give customer support for. Since the existing password-only implementation works and is declared secure by corporate and legal auditors, there is no need for the bank to implement anything more. If the law mandate it, yes, but since it doesn't, no. Implementation+support costs money with no visible return, so it's not done. Refunds due to inferior security are probably less than the costs for a better implementation. Banks don't advertise with "we have the best login security". They advertise with their banking products instead."

Opportunity missied, IMO. And I cannot believe the overall ROI is negative, both in terms of stolen money being refunded, desperately unhappy customers impacted and damage to reputation. And missed opportunity. I think it's laziness and perhaps a fear of increased customer support overhead with clueless customers locking themselves out of their accounts more frequently.