I have a similar issues with 3D Secure or whatever it is called for credit cards. Then open in an iframe and ask for a password or token sent via email.
The password case is actually fine on Firefox. The built-in password manager recognizes the domain in the iframe and fills in the password. (so I know that I am being phished if it doesn't auto-fill.) However the emailed token approach provides no security. I have no way of knowing if I am interacting directly with my bank or via a MITM.