[daef]

I don't know where you're from, but here in austria most banks offer 'cardTAN' as an alternative to mobileTAN. I always assumed cardTAN is a thing everywhere...

edit: with cardTAN you get a OTP/TAN 'calculator' into which you put your smartcard to generate TANs on the fly.

I use it because to me this feels more like a real second factor, when I use my mobile for banking.

[jacquesm]

Same here in NL, for now. But: banks are pushing their apps hard, to the point where every authentication you have to manually switch - again - to indicate that you want to use the token generator and not their app (never mind cookies and so on, those are only for the marketing department, when for once they could actually use them to store your preferences).

And there will likely be a time when the bank simply cuts access to the cardTAN system and only allow their apps. Screw them because that means I have to use a smartphone, which I really do not want. The cardTAN system has been very good so far in preventing fraud, once the phone is the token it suddenly gets a lot more complicated and less secure.

[vetinari]

The DACH world is specific in many things... but I've seen cardTAN outside it. In Slovakia, Tatra banka does use this system. I guess being part of Raiffeisen explains it.

[PeterStuer]

That used to be the universal way here (Belgium) before the banks went all in with apps. I'm not sure wether typing a challange/response into a browser is inherently more secure than a phone app.

For those wondering about 2FA with these apps, factor 1 is "something you own" namely that particular phone/sim, and factor 2 is "something you know", your PIN.

You can still use cardTAN, but the app is way more convenient, especially with QR.

[wink]

Fun fact, I still have the thing here, used it for many years, but they made it obsolete. App only now. It's a German Sparkasse :(

[4ad]

cardTAN is being rapidly phased out in Austria.