[sometimes_all]

LOL in the name of security, HDFC is trying to move their OTP verification to be almost entirely app-only, (not open-source TOTP which can be generated by authenticator/any other auth app; you can only use HDFC's app for that even if you want to log in via desktop).

Regulators sleeping at the wheel on this one.

[left-struck]

I think that’s pretty common worldwide. In Australia I’ve never encountered a bank or government service that allows any widely accepted secure 2FA. It’s always SMS or their own app. There used to be physical hardware tokens as well but they are going away.

[RajBhai]

I don't even care that much if they want to handle the 2FA with their proprietary methods. There are Android APIs that broker the OTP SMS delivery to the app without the app needing full access to the phone's messages.

If they can't do it on iPhone, they don't need to do it on Android.