Because SMS is not considered a secure 2FA mechanism anymore, and hasn't been for a while. If that's the default for that bank, and not GP going out of their way to pick a legacy access path, then they're about a decade behind what's considered industry standard -- which today is querying a second factor not just per login, but also per important operations (money transfers, dispositions, changes in settings), with the second factor being by default a smartphone with hardware and software integrity verified via remote attestation.
Then literally every US business and government is not trying to be secure. I cannot name a single organization that does not have the option of or requires SMS 2FA.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
I haven't heard a compelling reason why remote attestation is more secure.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
It's fairly easy to get control of anyone's phone number without interacting with them in any form. Just some social engineering at the kiosk in the mall.
It is extremely common for people's phone numbers to be stolen (even if temporarily), and then their bank accounts drained.
The larger point here isn't whether they do, but that they'd rather not. They want you to rely on their app, and have been pushing people to it for years now (some more intensely than others).
Because SMS is not considered a secure 2FA mechanism anymore, and hasn't been for a while. If that's the default for that bank, and not GP going out of their way to pick a legacy access path, then they're about a decade behind what's considered industry standard -- which today is querying a second factor not just per login, but also per important operations (money transfers, dispositions, changes in settings), with the second factor being by default a smartphone with hardware and software integrity verified via remote attestation.
Then literally every US business and government is not trying to be secure. I cannot name a single organization that does not have the option of or requires SMS 2FA.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
Now that is more of a problem than a bank. Which is why someone beeds to integrate OTP tokens into ID cards, closing the issue.
I haven't heard a compelling reason why remote attestation is more secure.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
What about SMS is somehow worse than that?
It's fairly easy to get control of anyone's phone number without interacting with them in any form. Just some social engineering at the kiosk in the mall.
It is extremely common for people's phone numbers to be stolen (even if temporarily), and then their bank accounts drained.
3 replies →
Uh, banks still provide separate tokens and one time pad cards last I've heard.
If yours doesn't, pick one that does.
The larger point here isn't whether they do, but that they'd rather not. They want you to rely on their app, and have been pushing people to it for years now (some more intensely than others).