Ask HN: Why doesn't any US bank use TOTP MFA?
In my experience and in talking with friends, we don't know of a single US bank that uses standard TOTP for their two-factor authentication.
The only 2FA options seem to be SMS, email, or upon occasion proprietary 2FA built into their mobile app (Or Symantec VIP, in the case of USAA).
One argument I've seen is that banks have to balance availability and security to their customers and lots of people wouldn't know how to secure their 2FA codes or backup codes. Fine. Why not have it as an option for those of us competent enough to use the technology? It is more convenient and at least as secure as email 2FA, and better than SMS.
22 comments
[ 3.1 ms ] story [ 15.2 ms ] thread... retain customers and their money within bank accounts so they can lend it out and make money off of it.
Turns out it's not very nefarious, just normal profit motive. Banks make money with Zelle that they'd lose if you Venmo'd money to your fitness instructor who kept it in their Venmo rather than immediately depositing it into a regular checking account.
Do people actually have nefarious conspiracy theories about Zelle?
I know the link is there, but last time it took me to pages where you were instructed to install the app
Mine currently looks like this: https://imgur.com/a/iFDVVwl
Sorry, that argument doesn't float in the overall scheme of things.
TOTP is easy to implement, more secure and costs less to operate than SMS verification --- which is widely supported by banks and in many cases is really nothing more than TOTP codes transmitted across the cell network.
If IT cost was really the issue, TOTP would likely be the universal default option.
Is this a US phenomenon? Where I live, banks are routinely promoting how they are more modern due to their tech. It's far from a cost center and has been like that for at least 2 decades now.
"Tech" means faster, easier transfers and processing. This is great for consumers --- but not so great for banks.
Banks make a lot of money from "float" --- the lag time between the initiation of a transaction and it's actual completion. The delay between the point in time where money is withdrawn from the sender's account until it is actually credited to the receiver's account. In many cases, this is a day or more in the US.
Bottom line --- most US banks have billions of dollars just "floating" on their books --- continuously. This is someone else's money that the *bank* can earn free interest on.
"Tech" (aka instant transactions) threatens to eliminate this source of income for banks.
The issue with TOTP is that it’s a shared secret, not a second factor. TOTP auth is two step.
Which makes it the best out of the bunch by this metric. But why not a generic TOTP like any other site?
My broader point is about how simple and generic and yet effective this tech is. Every bank has a proprietary or inferior form of 2FA. In 2023, I'm surprised it isn't more advanced.
Schools First in California, City National Bank of Beverly Hills, and all military credit unions use TOTP.
From a cynical, cost-oriented point of view, they don't care how free LinOTP, PrivacyIDEA, or any of the libraries that implement TOTP are. They're starting a death march project to license the most expensive proprietary software they can get, then spend a truckload of money on consulting/contractors to finish the job, and finally bleed money on a bunch of maintenance contracts. Once it's in place, they have to deal with the support burden of helping people recover their accounts. Much of that is transferred to email/phone providers since for the average person, it takes a special kind of negligence to irrecoverably lose an email address or phone number. TOTP seeds and backup codes are a bit easier to lose.
On the more optimistic side, it's probably a coverage and time thing. My guess is that around when banks started to get interested in securing their on-line banking offerings it was in that time before smartphones were widespread and OTPs required physical tokens. IIRC HOTP and TOTP didn't get standardized as RFCs until 2005 and 2011 respectively. Smartphone penetration wasn't at 50% in the US until around 2013. While TOTP would be objectively superior, mail/sms two-step is better than single factor auth, so the banks probably just went with what they felt would remove the most barriers to adoption. Plus the sales and marketing people (NOT cost centers) would have been sending emails and texts out to people for years already.