[ar0]

Even TOTP is not a good 2fa system for a bank login, at least if that account allows you to send money somewhere: TOTP codes do not differentiate by transaction type, so if a fraudster has taken over your computer, it can wait for you to login using TOTP and then send a wire transfer in the background (using the same TOTP quickly enough if necessary or just asking you to log in again, pretending your first code was wrong).

That’s why proper banks should use 2FA mechanisms that will ask the user to confirm the transaction on a second device (e.g. photoTAN or similar).

Of course, this won’t help against attacks if both devices are compromised or you are using the second factor device to access the system, but it’s still better than TOTP.

And, of course, TOTP is still way better than SMS 2FA or no 2FA.

[_hl_]

If someone has hijacked your computer, they could simply steal your session cookie and do whatever they want regardless of some TOTP secrets or being quick enough. In fact at that point any 2FA becomes meaningless - it's already game over.

Unless of course your bank does some proper, additional verification for large volume transfers.

[ar0]

Of course, that‘s the point: with photoTAN et al. it will request a one-time token for each wire transfer, and the token is based on the information (amount and recipient) of the transfer, which the user needs to confirm on its 2FA device.