They can only really be a second factor in the login process. The problem is they can be stolen/lost.

The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.

Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.

* there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering
_________________________
Remind me to change my signature to something more interesting someday