[varrock]

> Say for example they do in fact mandate 2FA for all banks. But then all banks rush out various implementations to meet the requirements. Some provide SMS-based solutions which have known security risks, some provide codes that don't lock out, some do everything right but now people who can't get a 2FA app (those who don't have smartphones for example) can't access online banking any more. There are accessibility concerns.

I'm not qualified to speak on this subject, but these are excellent points. Could you expand on any other implementations that sound like a great idea on the surface, but would have limitations? It sounds like accessibility is just one of many concerns. I'm itching to hear more.

[beaconstudios]

those are just off the top of my head, and I'm not an expert on 2FA either. If we're talking about alternative solutions to someone logging in as someone else, you still have to provide a "2FA" solution because "2-factor" is a description of the problem to be solved (the multi-factor authentication problem) - to prove who you are in high-security situations it's insufficient to just provide something you know i.e. a password, because someone else can learn that thing. Thus you must provide "something you have" ie. proving you possess your phone via 2FA apps, or "something you are" via biometrics a la faceID. There are alternative solutions to this like USB 2FA tokens or those little pin-pads that banks provide you that are already required by most banks in order for you to access your account. Other options are proving email ownership via access links like slack does, automated phone calls, probably some other venues. But the fundamental requirement to boost password security is to provide a non-knowledge-based proof of identity.