[tialaramex]

TOTP can be phished (there is even ready to use proof of concept software for building a TOTP phishing site), so it's a pretty poor choice.

https://breakdev.org/evilginx-2-next-generation-of-phishing-...

Instead banks should use WebAuthn. WebAuthn's credentials are directly bound to the DNS name. So anything that involves fooling the human like a phishing site can't work. The only site your authenticator can give the real-bank.example credentials to is... real-bank.example.

[franga2000]

SMS 2FA can also be phished, so TOTP would still be better and WebAuthn is such a complete paradigm shift that it would take many years for banks to implement it. TOTP is so stupidly simple they could roll it out in a month, audits and all.

Not to mention that in order to have a decent WebAuthn experience, you need a Yubikey with NFC, which go for 30-60$ if I remember correctly. Cost of authenticators is why everyone switched away from RSA SecurID.

[tialaramex]

WebAuthn for relying parties (what the bank is in this scenario) just isn't very hard. And you don't end up with any long term secrets at all, so that makes the security story easier. But I sadly do not expect banks to adopt it anyway.

I don't see what a Yubikey with NFC is getting you here. For a laptop/desktop user any of the Security Key products in an appropriate USB form factor (USB C for some newer laptops otherwise USB A) would be suitable.

The high end phones are or in the case of the iPhone very shortly will be WebAuthn platform authenticators, there's nothing extra to buy. Apple released a video of the pleasant UX journey they want to promote, obviously being Apple it doesn't actually say this would work on non-Apple devices but I use it already so I know it does.