[erinnh]

This is definitely not the case everywhere.

Where I live the app is 100% needed because it’s the „second factor“ in the login process.

[The_Colonel]

There has to be a fallback like SMS and/or automated call.

[akvadrako]

For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.

[Too]

SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.

[The_Colonel]

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

[Too]

Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.

[didntcheck]

Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)

[eganist]

> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

[eganist]

Curious, can you name this institution that only allows the app to be used as the second factor without fallbacks?

[iforgotpassword]

In Germany: all of them.

Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.