Why doesn't any US bank use TOTP MFA?

Question

In my experience and in talking with friends, we don't know of a single US bank that uses standard TOTP for their two-factor authentication.The only 2FA options seem to be SMS, email, or upon occasion proprietary 2FA built into their mobile app (Or Symantec VIP, in the case of USAA).One argument I've seen is that banks have to balance availability and security to their customers and lots of people wouldn't know how to secure their 2FA codes or backup codes. Fine. Why not have it as an option for those of us competent enough to use the technology? It is more convenient and at least as secure as email 2FA, and better than SMS.

not_your_vase · Accepted Answer

It's important to realize that for banks IT is a cost center. They spend only the absolute minimum for IT, because they don't make money with it. I have learned it the hard way, by working for some of them (thought must admit, not in the US). They only spend the absolute minimum on anything IT related - if most customers don't complain about it, and auditors are happy, then it means that it is just perfect.

D7wEQ · Answer

I think it's both the security vs availability balancing act and the view of IT as a cost center.
From a cynical, cost-oriented point of view, they don't care how free LinOTP, PrivacyIDEA, or any of the libraries that implement TOTP are. They're starting a death march project to license the most expensive proprietary software they can get, then spend a truckload of money on consulting/contractors to finish the job, and finally bleed money on a bunch of maintenance contracts. Once it's in place, they have to deal with the support burden of helping people recover their accounts. Much of that is transferred to email/phone providers since for the average person, it takes a special kind of negligence to irrecoverably lose an email address or phone number. TOTP seeds and backup codes are a bit easier to lose.
On the more optimistic side, it's probably a coverage and time thing. My guess is that around when banks started to get interested in securing their on-line banking offerings it was in that time before smartphones were widespread and OTPs required physical tokens. IIRC HOTP and TOTP didn't get standardized as RFCs until 2005 and 2011 respectively. Smartphone penetration wasn't at 50% in the US until around 2013. While TOTP would be objectively superior, mail/sms two-step is better than single factor auth, so the banks probably just went with what they felt would remove the most barriers to adoption. Plus the sales and marketing people (NOT cost centers) would have been sending emails and texts out to people for years already.

kobalsky · Answer

Wells Fargo&rsquo;s CEO portal gives you a choice between their app and hardware RSA tokens, I have one with their logo like this https://decovar.dev/blog/2018/09/09/wells-fargo-2fa/

Xorakios · Answer

Most banks can't use TOTP because union agreements prohibit their members from using it.Schools First in California, City National Bank of Beverly Hills, and all military credit unions use TOTP.

garbagecoder · Answer

But what&rsquo;s in the USAA app is TOTP&hellip;

4hEn · Answer

Maybe banks want a phone number they can track.

Spooky23 · Answer

Email and SMS are legacy. Some banks do use TOTP the same way.The issue with TOTP is that it&rsquo;s a shared secret, not a second factor. TOTP auth is two step.

Why doesn't any US bank use TOTP MFA?

Wells Fargo’s CEO portal gives you a choice between their app and hardware RSA tokens, I have one with their logo like this https://decovar.dev/blog/2018/09/09/wells-fargo-2fa/

Most banks can't use TOTP because union agreements prohibit their members from using it.
Schools First in California, City National Bank of Beverly Hills, and all military credit unions use TOTP.

But what’s in the USAA app is TOTP…

Maybe banks want a phone number they can track.

Email and SMS are legacy. Some banks do use TOTP the same way.
The issue with TOTP is that it’s a shared secret, not a second factor. TOTP auth is two step.