May vary by institution, but both banks I have accounts with also support having a robot call my phone where I can confirm the login. That should at least work with WiFi calling.

I absolutely cannot stand that no bank I have (US) supports generic TOTP, which is more secure and easier to recover from backup if my phone is broken or stolen.

It's inexcusable.

I've been using Citi and Discover for years with a Google Voice number. Possibly I've been grandfathered in though?

We actually had it that way on accident in a few of our applications - we had a `#isTextable(e164)` function that would do a carrier lookup and voip carriers sometimes returned as landlines or as arbitrary values that didn't mean mobile. We eventually did some work to refine that function to be smarter and actually better represent if the number was textable. At least for us, it wasn't a conscious decision, it was a gate being aggressive in our SMS pipeline.

> It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.

It never ceases to surprise me how much American banks always seem to lag behind with regards to payment tech. My (european) bank started sending hardware TOTP tokens to whoever requested one like a decade ago. They've since switched to phone app MFA.