[givehimagun]

My bank (USAA) decided to switch their 2FA away from SMS a while ago. They only do email or the USAA app auth code. I love it and I feel much safer with them because of it. Let's do start to move away - yes!

[grep_name]

What did they switch to? I've been wanting to use my u2f token for my bank account for awhile but haven't seen any that support that yet

[177tcca]

Should be optional.

I feel equally threatened by a potentially weak bank app running on my phone all the time as I would my carrier giving away the keys to the castle.

[boring_twenties]

If only there were any perfectly good open standards for 2FA that were implemented by numerous free apps and/or secure hardware tokens...

[account42]

TOTP is not good enough for banking where you really want to confirm specific transactions, not generate codes that an active attacker intercepting your session could use to do anything.

[boring_twenties]

Fair point, but if one declines to install their proprietary apps it just falls back to SMS verification which is obviously terrible.

Kraken (a cryptocurrency exchange) allows you to set up one TOTP token for regular logins, and another, separate one for withdrawals... obviously not as good as individual confirmations but still a heck of a lot better than SMS!

[stonogo]

It is optional. I'm a USAA customer as well, here's a screenshot from thirty seconds ago: https://i.imgur.com/boA4dc1.png

[bawolff]

Email is much worse than SMS.

[akvadrako]

It could be better if the sender's SMTP server forced the use of TLS. Most emails are now sent encrypted but it isn't usually enforced.

If your control your own receiving server then it would be hard for someone to intercept the message.

[bawolff]

That's not why its bad.

Its bad because 85% of the usecase of 2fa is people using bad passwords. If you use a bad password in one place, you probably are also doing so on your email.