alt Hacker NewsI absolutely cannot stand that no bank I have (US) supports generic TOTP, which is more secure and easier to recover from backup if my phone is broken or stolen.
It's inexcusable.
Replies
TOTP is alright for logins, but it's generally very phishable. For transaction confirmation, not being able to tie a code to a given recipient and amount is somewhat of a dealbreaker.
Fwiw, Symantec VIP is TOTP under the hood, and you can extract the seed with some hackery. There is at least one financial institution in the US that uses that.
TOTP is only marginally more secure. It defends against sim swaps but it still loses to phishing, which is far more common than sim swaps.
Although they don't offer TOTP, I've noticed growing support for Passkeys which is a step in the right direction.
By brokerage suports TOTP but not my bank. My bank does support Yubikey-type devices though.
Copper State Credit Union supports passkey
This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.
I really agree with it, but that’s probably their rationale.