[riedel]

At least in Germany all the SMS 2FA has been shut off, but replaced with tons of custom 2FA apps. The security argument is certainly that they can check for 'insecure' devices. But I wonder what the empirical evidence here is and how often (compared to phishing/social engineering) a TOTP token was actually stolen. Worst thing is IMHO Microsoft now which seem to have also shut off the TOTP option and use some other propriatary 2FA scheme now. IMHO banks should simply use FIDO2 HW tokens, but with all that passkey bullshit it becomes unlikely...

[GoblinSlayer]

A failure scenario I found is when mitm antivirus decrypts traffic (or something similar), so a proprietary 2fa scheme doesn't work, because it can't get through network.

[7bit]

No it hasn't. How can you make a statement so confident, when obviously you couldn't objectively know?

[nh2]

Evidence to the contrary?

For my German banks, this is true. Stupid custom apps and proprietary reader hardware that read coloured moving QR codes everywhere.

[7bit]

It's your responsibility to provide evidence for your claims, not everyone else's to prove yours wrong...

[nh2]

You say "no" to the poster saying "in Germany all the SMS 2FA has been shut off".

It makes sense to ask you for evicence: You'd just have to name a bank that provides SMS 2FA.