These can thwart keystroke loggers, but not malicious screen recorders.

If 2FA is used only during the logon phase, it's relatively easy to circumvent. Here's how:

1. Create an email with a specially-crafted URL and send it to your victim
2. When victim clicks the email, it directs the browser to evil-site.bad
3. evil-site.bad proxies the connection request to the bank -- you'll never see this
4. Your bank login appears
5. You sign in, feeling super secure because you had to do the 2FA dance
5. Your bank thinks you're signed in and starts communicating with your browser
6. But wait...everything's going through the evil-site.bad proxy, remember?
7. Now that you're logged in and have a session token, the bad guy can take over
8. Bad guy performs transactions

Fixing this is not hard: simply require the 2FA again for each transaction. Entire classes of attacks could be eliminated by moving from session authentication to transaction authentication. And it really isn't necessary for banks to invest in hardware tokens for this. Simply have each customer register his/her mobile phone, and send a challenge via SMS to the phone. Require the user to enter a response during the transaction.