alt Hacker NewsIn the EU, banks are AFAIK banned from using SMS 2FA, and the 2FA needs to be tied to the specific transactions. Which nowadays de facto means a bank-specific (sometimes country-specific) 2FA app, possibly with the alternative option of purchasing a pricey dedicated 2FA device.
Replies
For the sake of completeness I will mention that one US bank that I use, Wells Fargo, issues the classic RSA keychain tokens:
https://www.wellsfargo.com/biz/online-banking/securid/
... which is quite simple and cheap ... and can be used in place of SMS 2FA.
The fact that these tokens exist and are so simple to deploy and use really deflates any claim (by banks) that banking and/or auth apps are required. It causes one to consider what the real motivation is behind the bank desperately pushing customers away from the simple and adequate web service towards the apps.
> In the EU, banks are AFAIK banned from using SMS 2FA
That's not the case, but SMS-OTP only counts as one "possession" factor, leaving only "knowledge" or "inherence" for the second one, and both are awkward to ask for in a payments flow. (You don't want to train users to enter their bank's password at a merchant site, and biometry/inherence isn't easily possible from an untrusted device.)
By contrast, doing biometry on a linked device provides two factors (possession of the device and inherence), and is significantly cheaper than SMS too. SMS in Europe can be pricey!
As a tangent, they are in fact banned from using email as a factor, which I find infuriating – my mailbox seems much better protected than my SIM card or phone number, which is one successful attempt at social engineering away from being swapped out or ported away. The SMS industry must be pretty good at lobbying.