he and I can still log in to our bank accounts from his computer without anyone stealing our passwords.. it's a new one time code every time, generated by the physical authenticator.
These sorts of things generally only work in the model where there is some central party to validate the authenticator response (and said central authority has the freedom to steal all your funds without the token), they also don't protect against more sophisticated malware that waits for you to log in and then takes over. (And I've heard reports of this kind of thing being used against mtgox, for example: You think you're yubikey authorizing a withdraw to address A but it's really swapped out the form with address B).
Hardware wallets like Trezor will largely fix this (
https://bitcointalk.org/index.php?topic=122438.0).