Comment by fleebee
19 hours ago
My bank only has two options for authentication: Either you use their mobile app or buy an authentication device from them that's the size of a small phone. Either way I need a handheld device.
I can't say I'm happy with the direction of things. They used to offer slips of paper with single-use codes that worked fine, but those are now deprecated in favor of the smartphone app.
You can use a lot of those authentication / bank apps on a tablet without issue. Obviously it’s worth verifying before making the swap to a flip phone, but I like having minimal apps on my smartphone so I still have a backup if needed.
Then your bank is garbage and you should switch to a better one. My main bank (USAA) lets me use a one time code sent to my email as a second factor (or SMS, or a code from their app). If they started requiring me to use the app I would drop them immediately. Why is "but my banking app" treated like a valid objection every time user freedom comes up?
> My main bank lets me use a one time code sent to my email as a second factor or SMS
Congratulations, your bank is still relying on the two most easily spoofed 2fac methods
The fact that they are easily spoofed is of no consequence for this use-case: entering an invalid 2FA code will simply fail to log you in into your banking. You should obviously not follow a link from an email that is not obviously coming from your request (and you should validate the top-level domain is what it needs to be even in that case), but you should be entering the bank web site directly.
The bigger problem is SIM swapping, which is more of a social engineering attack.
Because it's most banks that are like that. If you don't have this problem, then you're lucky your bank is actually technologically incompetent by industry standards.