May vary by institution, but both banks I have accounts with also support having a robot call my phone where I can confirm the login. That should at least work with WiFi calling.

I absolutely cannot stand that no bank I have (US) supports generic TOTP, which is more secure and easier to recover from backup if my phone is broken or stolen.

It's inexcusable.

This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.

I really agree with it, but that’s probably their rationale.

Banks didn't support TOTP long before we were able to easily sync them across devices. It's likely more along the lines of banks generally have bad IT departments and outdated digital security policies.

The real problem is not having a (trusted) way of seeing what you are consenting to by entering a TOTP (which can be phished).

SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.

That same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.

Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.

I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.

I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.

Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.

You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.

I do the same, and it somewhat defeats the spirit of 2FA, but I still believe it's more secure. It's basically a second password where intercepting it in transit once isn't enough to be able to repeat the login in the future.

One time password.

Yes, a digital OTP generator is more susceptible in theory to theft or duplication than a hardware token.

Yes, the benefits of digital OTP are great compared to password only, more secure than SMS, and trivial to implement.

There are hardware TOTP tokens that don't allow export of the secret, that makes them something you have. For example:

https://en.wikipedia.org/wiki/Digipass

My bank sends me 2FA codes in their app, which I then have to type into... their app. No kidding. Both the key and the validation in the same place, really ridiculous. Even something as crap as SMS 2FA would be better. TOTP or FIDO2 would be miles better.

TOTP is alright for logins, but it's generally very phishable. For transaction confirmation, not being able to tie a code to a given recipient and amount is somewhat of a dealbreaker.

Fwiw, Symantec VIP is TOTP under the hood, and you can extract the seed with some hackery. There is at least one financial institution in the US that uses that.

Charles Schwab uses this. I was able to extract the TOTP secret during the set up process to use in my preferred auth app.

USAA. Better than nothing, but since it doesn't do push notifications it's a needlessly proprietary piece. It's probably a combination of legal and a slow IT infrastructure.

TOTP is only marginally more secure. It defends against sim swaps but it still loses to phishing, which is far more common than sim swaps.

But it is easier to backup and restore, is accessible without a phone, and can be used without cell service.

Those are usability benefits rather than security benefits and I really don't know if I'd use the word "inexcusable" for this difference.

And for the vast majority of people, sms is much easier to backup and restore than totp because there is an infrastructure to help them do so.

Although they don't offer TOTP, I've noticed growing support for Passkeys which is a step in the right direction.

By brokerage suports TOTP but not my bank. My bank does support Yubikey-type devices though.

Vanguard supports Yubikeys. I'm yet to use a bank (~8 of them so far) that supports anything other than SMS.

There is at least one major US bank that supports Yubikeys and a different major that one supports (with some convincing) phone notification-based second factor.

Copper State Credit Union supports passkey

I've been using Citi and Discover for years with a Google Voice number. Possibly I've been grandfathered in though?

I could not use my Google Voice number (that I've had since Grand Central) for most companies that only do SMS 2FA until it became my Google Fi number. Then I guess some flag got set in the database they check against.

>I could not use my Google Voice number (that I've had since Grand Central) for most companies that only do SMS 2FA until it became my Google Fi number. Then I guess some flag got set in the database they check against.

I was wondering about that, because I can't get google voice because I have google fi, so clearly it's using the same bank of numbers, but maybe once they are fi, they are ported to T-mobile instead of their own CLEC.

They removed that restriction. You can have Fi and Voice on the same account now.

Yeah, I think that restriction was due to that extremely strange way of using Hangouts (remember that?) as a possible backend for both Google Voice and Google Fi text messages.

Chase bank used to not work with Google voice. I would have to use email for code. Sometime in last year? it started working.

yeah, I use GV with all sorts of things that don't normally allow most likely as a result of being grandfathered in - i.e., I suspect they don't recheck old active numbers as being invalid per VOIP classifications/etc.

GV still works on BOA to an extent: general balance queries through their app or the web will go through but anything involving identity and real transactions via wire or zelle will ask for your real mobile number. Even if you do happen to visit one of their branches they will ask for confirmation through your real mobile number (landlines will obviously not work).

Works for me with GV, for anything involving identity. I might have been grandfathered in.

I think your experience is typical. I use my Google Voice number for everything and have rarely had any issues.

There are a few popular companies that blacklist VoIP numbers, but most don't. Even Chase, which historically blocked Google Voice, started allowing it a couple years ago.

Mine has worked as well but it used to be a landline when I first acquired it many moons ago.

Execs at those companies probably think "Google = good".

I don't think SMS senders can actually tell the difference between Google Voice and other VoIP providers.

Twilio has a lookup API, which returns the subscriber name and carrier.

Here's an example response (subscriber name redacted):

  {
    "data": {
      "name": "LASTNAME, FIRSTNAME",
      "line_provider": "Google/Bandwidth.com (SVR)",
      "carrier": "Bandwidth.com",
      "line_type": "landline"
    }
  }

Ah, I always assumed Google uses Bandwidth.com completely transparently – I wasn't aware there's a separate level of "line provider" look-up available. Thank you!

Yet Facebook won’t let me sign into WhatsApp using my GV number alone.

There must be something unique about my GV number. It's even allowed on WhatsApp (knock on wood).

I registered it about 13 years ago. I didn't transfer it from a landline/cell phone, it was picked from a list of Google Voice numbers available in my area code. I've never had Fi.

We actually had it that way on accident in a few of our applications - we had a `#isTextable(e164)` function that would do a carrier lookup and voip carriers sometimes returned as landlines or as arbitrary values that didn't mean mobile. We eventually did some work to refine that function to be smarter and actually better represent if the number was textable. At least for us, it wasn't a conscious decision, it was a gate being aggressive in our SMS pipeline.

> It’s insane to me that maybe every bank I use requires SMS 2FA, but random services I use support apps.

It never ceases to surprise me how much American banks always seem to lag behind with regards to payment tech. My (european) bank started sending hardware TOTP tokens to whoever requested one like a decade ago. They've since switched to phone app MFA.