Even better, the system that Rabobank has.

They make you use this separate device to scan a color qr code generated by the app. The details of the transaction you're authorizing are then displayed on this completely decoupled device, no internet, nothing. After keying in your pin you're given an OTP to put back into the app to authorize.

And I haven't checked, but I'm sure the 'payload' the qr code conveys is signed.