This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
> Having someone call and ask for your SSN is a non-starter.
That's not what he said. This hypothetical robocall would simply instruct you to call a different (known good, printed on your card) number to authenticate, at which point you know who's on the line.
> And in what world is SMS not available but being able to call that same phone is?
It's a good point about the robocall notification itself, but I imagine this kind of system wouldn't even need that to work in order to function. What actually unlocks your account is calling the bank's system and inputting your SSN; you could preemptively do it from another phone if you know you lost your 2FA codes and are trying to log in.
This person's idea would replace your phone number being your authentication with your phone number simply being used for a notification, shifting the actual authentication to something the bank already knows but that someone who stole your credit card (and maybe your phone along with it) wouldn't inherently have. I got a bad whiff from it at first, but after thinking about it a little more, I think it's a good idea.
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”