[wmf]

Are there any US banks that are actually secure? AFAIK they're all using SMS 2FA or worse.

[mikem170]

Schwab has hardware security tokens for the asking. I have one. Similar to the six digit rsa tokens I used at work (but without the rsa token bug from some years ago). It is my understanding they also support software tokens. I'm a happy customer.

https://www.schwab.com/help/two-factor-authentication

[ZekeSulastin]

They do support software tokens - I use that method - but it’s a bit of a pain[1] if you want to use a TOTP program other than Symantec :(

1: https://news.ycombinator.com/item?id=28231146

[smsm42]

Wells Fargo supports these too: https://www.wellsfargo.com/biz/online-banking/securid/

[Arnavion]

The credit union I use does have SMS 2FA as an option, but has other options via Entrust. Specifically there's a "soft token" that's a phone app which implements their own brand of not-TOTP, and a "hard token" that's a fob that generates their own brand of not-TOTPs.

[astrange]

What operations does it require the OTPs for? Generally anyone can do an ACH withdrawal from your account and the bank won’t ask you about it until afterwards. This is dealt with by other legal frameworks but you could certainly call it insecure even if they need 4 factors to let you see your account balance.

[Arnavion]

Just logging in.

[JAlexoid]

I wouldn't say that American digital banking is that bad at this point.

SMS 2FA is pretty robust, as biometrics on the phones reduce the number of SMSes sent.

[stop50]

In germany most banks don't do this anymore due of security reasons.

[JAlexoid]

I can't say about most, but my N26 DE account requires SMS authentication as well.