[shortcake27]

It isn’t just banks. 10 years ago I just used TOTP when I wanted 2FA. But now many tech companies are hand-rolling their own MFA. Google Prompts. GitHub Mobile. Microsoft Authenticator. Adobe Account Access. Some of these still support TOTP, but force you to use their app (Google Prompts when a Google app is installed). Others simply removed TOTP to push their app (Adobe).

TOTP was great as I could generate codes on multiple devices and back up my setup codes. Now I’m forced to use my phone, a device that is easily lost or stolen, and restoring a new phone from a backup generally doesn’t transfer the keys for these types of apps (for “security” I guess) so nightmare is probably putting it nicely.

I’m surprised more people aren’t complaining about all of this proprietary/DIY security. Rolling your own is almost always a bad idea - we have open standards for a reason.