Never mind the insanity of leaking a secret that would otherwise only travel over TLS. Banks wouldn't know actual security if it fell into their lap. They got spoiled by pretending SSNs were somehow private, and are still trying to use "identification" as a crutch rather than focusing on proper authorization - eg a hierarchy of auth levels with the master being a public key on a hardware token, ideally that you go into a branch to replace. The only thing a person can do is refuse their snake oil voiceprints etc wherever possible, and most importantly monitor your accounts religiously at least every 40 days.
Even worse, the snake oil is leaking to non-banks as well. For example, Amazon now seems to insist on doing an email challenge for every login. Very unfriendly UX. Eventually I'll get around to writing a procmail recipe that grabs the codes out of emails/texts, and spits them to a terminal ready to be pasted.
Most banks in the UK have given out hardware 2fa devices for years. I have one for my company accounts that's activated with its own PIN that gives out logon and authorisation codes.
Is this not true in the US?
They are often now replaced by banking apps that offer a similar feature, as my consumer account with the same bank has done.
