| I think the disconnect comes from the European vs the US perspective. In Europe, banks in many countries require smartphone apps for 2FA (unless you still have one of the old authenticators that you can hold on until the battery dies). One of the reasons is that PSD2 requires two-factor authentication: https://www.betaalvereniging.nl/en/knowledge-base/digital-id... My guess is that given that banks are liable in many cases of account compromise where the user did not do anything wrong, they generally don't use SMS or e-mail auth because it is relatively easy to compromise (e.g. no or bad encryption, downgrade attacks, etc). Also, doing 2FA through a smartphone app is much cheaper for them than keeping a fleet of authenticators running. Luckily, it looks like PSD3 is going to require access without a smartphone too: Require payment services providers to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology, device or mechanism, for instance on the possession of a smartphone. https://ec.europa.eu/commission/presscorner/detail/el/qanda_... So things are looking up in that respect. |