The best security is off course to don't allow any access... But many bunqers wished for a fallback when their phone got somehow unavailable, for instance to block their cards.
Any access method has its flaws and we can all find better methods that provide more security. The problem however is that most of these methods may be more secure, but are less user friendly. Those whom know these methods are more likely to be advanced users and thus will manage to use these more secure methods. As a large part of the users are on a more elementary level, they will have problems to use these more advanced methods. In fact, they won't be able to use them at all and thus having no access. The feature would be useless as most users will not be able to use it. The problem is that most untrustworthy people are advanced users and would be the only ones to obtain access, which you off course would not want either.
So we could all come up with more advanced security, but have to bear in mind that access has to be user friendly to all users. I think bunq did a great job: the easy way is off course the QR-code, the fallback is a 'magic link' to the email which has its own security (the email client), with a one-off link (which I guess has a time out) and the 6-digit code (which I presume is only active during the time out of the magic link). Brute force attack will be blocked by a limited amount of attempts..
So to gain access via email I would have to have access to the email, have to know whether there is a magic link active and would have to know the code... I could off course create a magic link when I have the email credentials, but I would still have to know the code. When others know this code, it's a security breach of its own, and a PEBCAK-issue, same goes for easy to guess codes such as birthdates.
Engineers can not work around PEBCAK as it either makes the solution not user friendly, or the solution has flaws due to PEBCAK.
