[brianmiddleton]

I just got an email from my credit union that they're "transitioning from email passcode delivery to more secure methods such as phone calls and text messages". I need to send them this video.

That credit union is awful for many other reasons, so I don't keep much in that account, but I wonder why banking in the US is so bad at security. I don't think I have a single bank or credit card online account that allows for TOTP. It's all SMS or phone call, with one bank allowing for app push notifications.

Is there a compliance check box that requires SMS over something with at least some security?

[thepratt]

I'm surprised they're putting SMS 2fa in now. In 2016 the NIST released new guidelines that essentially "banned" SMS 2fa use. It's heavily suggested that US banks follow NIST guidelines, I'm unsure if there's any actual legal requirement for them to.

You could always send the portion of the guidelines to as many credit union people as possible. Someone may bite.

[TrapLord_Rhodo]

nist is all about internal controls. It says nothing about dictating controls on your users.

[thepratt]

That's not entirely correct. The main purpose is how US federal agencies handle stuff such as digital identities, this includes all digital identities - employees and citizens/other. Private institutions can use it as guidance for whatever purpose. You can find this information in the abstract of revisions https://pages.nist.gov/800-63-3/sp800-63-3.html

[Our_Benefactors]

> Is there a compliance check box that requires SMS over something with at least some security?

Yes - it ticks the box for 2FA.