It’s normally an additional password/code, so it’s probably stored in plaintext.

The random character selection is what makes it useful. Stops someone who just captured your details from logging straight in (probably).

2FA is superior in every way to it. Most have now switched to sending you a chip & pin card reader to generate OTPs.

A lot of banks in the UK do it. They normally have a secondary pin that they will ask for 2 or 3 characters of.

This means that if you log in and get keylogged/shoulder surfed etc they don’t get the full pin. The next time you login you will get asked for different characters.

Not great, but not awful either - going away now that 2fa is more common

Is the picture that has the sign on it ON the roundabout or on the approach?