My bank in Ireland (Ulster Bank) has a notice on the login page: "You will NEVER need your card reader [their 2FA] to log in". Last year they changed their login flow so you are asked to use your card reader to log in. I complained about it on Twitter but got a meaningless response about customer safety/new regulations.

If they wanted to train their customers to be phished, I can't think how they could do a better job.