The general rule for secure 2 factor authentication is "something you have, something you know". That HSBC device (and the devices that you insert your debit/credit card into) serves as the "something you have", you still need a password for the "something you know" side.
Devices like that protect your account (in theory*) if someone has got your password, but they can't be the only authentication factor.
Yes, we use 3 banks and all have a combo of pwd/device
there have been plenty of cases where accounts have been protected by two factor authentication, but the account has still been hijacked because the service protected by the password provides a "call a human in a call centre and beg" fallback mechanism which can then fall victim to social engineering
Call centre and beg has never worked for me.