And yet my bank (Chase) only supports email and sms 2fa with no option for OTP/TOTP. Is this just a institution dragging their feet or are there more regulatory reasons why they won't allow more secure authentication?
At least they offer codes via email. I can (and do) secure access to my email account and domain registration with a very long password and a Yubikey. That’s “good enough” for my purposes.
Absolutely, a state-level opponent could get up to some shenanigans though I would argue that a state has much easier methods to go cracking into my Visa card. My threat model doesn’t include nation states targeting me specifically because, simply, if one comes after me I am screwed anyway.
As for email being unencrypted, I think most of it now is encrypted during transit (thanks to the Big Two providers knocking points off a spam score if a message does come via TLS) and even if it weren’t the password is also not known so the second factor is not useful. For example, I just tried to log in to chase.com and the code they emailed me at 1752 MST is 067315.
If I’ve been phished so hard that posting this is useful, again I’m screwed.
For anyone who wants a US bank with TOTP, schwab works! I was pleasantly surprised to discover this. It uses some symantec stuff (as did paypal earlier), but it's TOTP underneath and can be used with any TOTP app.
Port a number to GV, it will work, but you are at risk of losing it if you don't log in often enough. I lost an important number that way (along with my grand fathered free google apps account for my domain)
