[auxym]

To my knowledge none of the big canadian banks support U2F or TOTP.

Accounts can also be used to log in to the CRA website.

[flyGuyOnTheSly]

When you sign up to CRA's online control panel... they actually make you tick a box that says in essence:

"we're not responsible if we get hacked and lose all of your CRA related data to some random hacker... that's your fault"

[miketery]

CRA = Canada Revenue Agency (Canada's IRS)

[kazinator]

= CCRA: Canada Customs and Revenue Agency

[himom]

Grrr. Google Authenticator and such are free. It would be mostly user support costs to deploy. Heck, could even SMS or robodial (Twilio etc) a TOTP code for people without smartphones.

[shawnz]

> Heck, could even SMS or robodial (Twilio etc) a TOTP code for people without smartphones.

SMS is not secure for this purpose since there are many attacks which allow you to sniff SMS messages.

[icebraining]

There's no need for that, TOTP runs everywhere, including J2ME apps installed from WAP.