Here's a blog entry from a PhD student who showed how a phishing attack would successfully work against Bank of America's SiteKey Service. As the blog says ""[W]hen you see your SiteKey, you can be certain you're at the valid Online Banking website at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected."" Thus, it's a form of authentication.
The student has posted a video of the attack.
Stronger authentication doesn't mean that phishing attacks won't occur. With a man in the middle attack, it usually means that the criminal takes the information and passes it on to the real website which then sends the fake website the images, which in turn then displays them to the user. Thus the security features are broken since the user then enters in their id and pin authentication numbers which the criminal can use to masquerade as the user.