Comment by nahkoots
15 hours ago
Then your bank is garbage and you should switch to a better one. My main bank (USAA) lets me use a one time code sent to my email as a second factor (or SMS, or a code from their app). If they started requiring me to use the app I would drop them immediately. Why is "but my banking app" treated like a valid objection every time user freedom comes up?
> My main bank lets me use a one time code sent to my email as a second factor or SMS
Congratulations, your bank is still relying on the two most easily spoofed 2fac methods
The fact that they are easily spoofed is of no consequence for this use-case: entering an invalid 2FA code will simply fail to log you in into your banking. You should obviously not follow a link from an email that is not obviously coming from your request (and you should validate the top-level domain is what it needs to be even in that case), but you should be entering the bank web site directly.
The bigger problem is SIM swapping, which is more of a social engineering attack.
Because it's most banks that are like that. If you don't have this problem, then you're lucky your bank is actually technologically incompetent by industry standards.