Ask HN: Why doesn't any US bank use TOTP MFA?

18 points by unethical_ban ↗ HN
In my experience and in talking with friends, we don't know of a single US bank that uses standard TOTP for their two-factor authentication.

The only 2FA options seem to be SMS, email, or upon occasion proprietary 2FA built into their mobile app (Or Symantec VIP, in the case of USAA).

One argument I've seen is that banks have to balance availability and security to their customers and lots of people wouldn't know how to secure their 2FA codes or backup codes. Fine. Why not have it as an option for those of us competent enough to use the technology? It is more convenient and at least as secure as email 2FA, and better than SMS.

22 comments

[ 3.1 ms ] story [ 15.2 ms ] thread
It's important to realize that for banks IT is a cost center. They spend only the absolute minimum for IT, because they don't make money with it. I have learned it the hard way, by working for some of them (thought must admit, not in the US). They only spend the absolute minimum on anything IT related - if most customers don't complain about it, and auditors are happy, then it means that it is just perfect.
unless it's something like Zelle, where they want to force you to use a mobile app so they can... <insert nefarious conspiracy here>
> ... <insert nefarious conspiracy here>

... retain customers and their money within bank accounts so they can lend it out and make money off of it.

Turns out it's not very nefarious, just normal profit motive. Banks make money with Zelle that they'd lose if you Venmo'd money to your fitness instructor who kept it in their Venmo rather than immediately depositing it into a regular checking account.

Do people actually have nefarious conspiracy theories about Zelle?

Why can't I use zelle in a browser? I would use it if I could, but they require a mobile app. Why?
That's not a technical limitation, that's a choice of your bank (and apparently mine). Critically, though, Zelle is competing with Venmo (in particular) and other mobile-only or primarily-mobile apps. Working within the same environment is "good enough" from the perspective of most banks.
Chase lets you Zelle from the browser.
Since when? This is not my experience
Just logged into my account and it's there. I don't know when it was introduced.
Have you tried to use it?

I know the link is there, but last time it took me to pages where you were instructed to install the app

There's verbiage all over the site about a "new look" so maybe it is rolling out slowly to sections of the customers.

Mine currently looks like this: https://imgur.com/a/iFDVVwl

Capital One does too. I’ve used Zelle through Capital One’s website for years, and have never had the mobile app installed.
It's important to realize that for banks IT is a cost center.

Sorry, that argument doesn't float in the overall scheme of things.

TOTP is easy to implement, more secure and costs less to operate than SMS verification --- which is widely supported by banks and in many cases is really nothing more than TOTP codes transmitted across the cell network.

If IT cost was really the issue, TOTP would likely be the universal default option.

> It's important to realize that for banks IT is a cost center

Is this a US phenomenon? Where I live, banks are routinely promoting how they are more modern due to their tech. It's far from a cost center and has been like that for at least 2 decades now.

It's important to realize the time value of money.

"Tech" means faster, easier transfers and processing. This is great for consumers --- but not so great for banks.

Banks make a lot of money from "float" --- the lag time between the initiation of a transaction and it's actual completion. The delay between the point in time where money is withdrawn from the sender's account until it is actually credited to the receiver's account. In many cases, this is a day or more in the US.

Bottom line --- most US banks have billions of dollars just "floating" on their books --- continuously. This is someone else's money that the *bank* can earn free interest on.

"Tech" (aka instant transactions) threatens to eliminate this source of income for banks.

Email and SMS are legacy. Some banks do use TOTP the same way.

The issue with TOTP is that it’s a shared secret, not a second factor. TOTP auth is two step.

But what’s in the USAA app is TOTP…
True, it's the closest I've seen. Actually yes, it is TOTP though on the backend it's Symantec VIP.

Which makes it the best out of the bunch by this metric. But why not a generic TOTP like any other site?

My broader point is about how simple and generic and yet effective this tech is. Every bank has a proprietary or inferior form of 2FA. In 2023, I'm surprised it isn't more advanced.

Most banks can't use TOTP because union agreements prohibit their members from using it.

Schools First in California, City National Bank of Beverly Hills, and all military credit unions use TOTP.

Why do the union agreements prohibit TOTP?
Maybe banks want a phone number they can track.
I think it's both the security vs availability balancing act and the view of IT as a cost center.

From a cynical, cost-oriented point of view, they don't care how free LinOTP, PrivacyIDEA, or any of the libraries that implement TOTP are. They're starting a death march project to license the most expensive proprietary software they can get, then spend a truckload of money on consulting/contractors to finish the job, and finally bleed money on a bunch of maintenance contracts. Once it's in place, they have to deal with the support burden of helping people recover their accounts. Much of that is transferred to email/phone providers since for the average person, it takes a special kind of negligence to irrecoverably lose an email address or phone number. TOTP seeds and backup codes are a bit easier to lose.

On the more optimistic side, it's probably a coverage and time thing. My guess is that around when banks started to get interested in securing their on-line banking offerings it was in that time before smartphones were widespread and OTPs required physical tokens. IIRC HOTP and TOTP didn't get standardized as RFCs until 2005 and 2011 respectively. Smartphone penetration wasn't at 50% in the US until around 2013. While TOTP would be objectively superior, mail/sms two-step is better than single factor auth, so the banks probably just went with what they felt would remove the most barriers to adoption. Plus the sales and marketing people (NOT cost centers) would have been sending emails and texts out to people for years already.