I think there should be a web app as well as the mobile app. The web app should use TOTP ( https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) for security.
I often want to manage my card, but don’t want to have to fart around doing that on my phone. This is particularly critical for support requests, as I’ve found the app crashed and I couldn’t use the in app chat on my phone.
The nuts and bolts of the mobile app is very basic, so could be implemented within a web view, then the same app could be rolled out across iPhone, Windows Phone, Android and the web.