Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.

Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.

I don't even know how recovery scenarios work for passkeys.

Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.

Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.

You aren’t wrong. It is built in to Googles and Apples though, should be widely used.

> Losing TOTP is easy. Lose your phone and it's gone.

That is the main point of it. That's why it is called a second factor.

> It means game over for a regular person.

It just means you have to go to the nearest branch.

What do you think such a recovery mechanism would look like without SMS?

Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.

As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.

Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.

Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.

SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.

SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.

If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.

[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.

How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.

FWIW: https://en.wikipedia.org/wiki/SIM_swap_scam

This is more like confused deputy than collusion (though that can happen as well), but nevertheless the end result is somebody else ends up with your number, and your device gets deactivated.

Show up in person with ID.

That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.

https://en.wikipedia.org/wiki/Direct_bank

We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.

Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.

Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.

Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.

> There is nowhere to show up.

There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.

MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.

Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.

You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.

The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.

The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.

There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.

I was surprised that Bank of America still does SMS based 2FA.

BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.

Of course effectively 0% of their customers actually use it, and instead rely on sms

Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.

They don't let you get rid of sms fallback, so it's not immune to sim theft

It does help vs phishing though

Why would a bank care about money laundering?

Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.

Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.

There is a difference between caring about reducing legal risk and caring about money laundering.

HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].

[0] https://www.investopedia.com/stock-analysis/2013/investing-n...

Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.

> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.

https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...

I think you can easily answer that question yourself by doing a simple search.

It's a long-complicated story but it essentially boils down to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act

If they're not seen as doing enough, they can be fined by regulators.