[D7wEQ]

I think it's both the security vs availability balancing act and the view of IT as a cost center.

From a cynical, cost-oriented point of view, they don't care how free LinOTP, PrivacyIDEA, or any of the libraries that implement TOTP are. They're starting a death march project to license the most expensive proprietary software they can get, then spend a truckload of money on consulting/contractors to finish the job, and finally bleed money on a bunch of maintenance contracts. Once it's in place, they have to deal with the support burden of helping people recover their accounts. Much of that is transferred to email/phone providers since for the average person, it takes a special kind of negligence to irrecoverably lose an email address or phone number. TOTP seeds and backup codes are a bit easier to lose.

On the more optimistic side, it's probably a coverage and time thing. My guess is that around when banks started to get interested in securing their on-line banking offerings it was in that time before smartphones were widespread and OTPs required physical tokens. IIRC HOTP and TOTP didn't get standardized as RFCs until 2005 and 2011 respectively. Smartphone penetration wasn't at 50% in the US until around 2013. While TOTP would be objectively superior, mail/sms two-step is better than single factor auth, so the banks probably just went with what they felt would remove the most barriers to adoption. Plus the sales and marketing people (NOT cost centers) would have been sending emails and texts out to people for years already.