Is there a US bank (national, not a local credit union) that allows you to use TOTP, U2F and backup codes as your sole 2FA sources? Heck, the US Government lets you do it now (https://login.gov), you think that BofA would...
Looking at that link, pretty much none of the major US banks (Bank of America, US Bank, Wells Fargo, PNC, Chase, etc.) seem to support software 2FA token solutions (e.g., Google Authenticator, Authy, etc.). Not gonna lie, this is abysmal.
My understanding from the situation has been that banks don't care because in a checking/savings account, it's your money getting stolen, not theirs.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.
The vendors foot the bill for credit card fraud, and end up paying transaction fees both ways. I used to work for a company whose website was found by some entity in the stolen credit card ecosystem to be convenient for making small purchases to validate stolen cards. The bank / credit card processor was in a much better place to make fraud decisions, and yet somehow all of the risk was on us and the credit card processors actually made better profits due to the fraud. Incentives are badly aligned.
In most cases checking/savings account hijacking would have little or no loss to the customer (usually there is a time frame the loss has to be reported by and there may be a low minimum fee of $50 or so).
There would be no raw financial loss at the end of the day, but there sure is a lot of time loss involved for both parties. It gotta cost not a non-zero amount of money to deal with all those issues, while with a proper 2FA all those costs would be pretty much cut to zero.
Robinhood impressed me by supporting both strong passwords AND 2FA with Google Auth. They haven't rolled out cash management accounts yet but I think they will my financial center once they do.
I think Fidelity does allow this, but I haven't bothered with it since I use a password manager.
Fidelity has a brokerage account, free checks, free ATM withdrawals via debit card, maybe also your 401k, free money wires, automatic investment etc.
The only thing they don't have are branches where you can deposit cash, but that's really never necessary - in an extreme case you can open another bank account, deposit cash, transfer to fidelity and immediately close it.
I'm not sure why anyone uses a bank other than Fidelity.
Fidelity does it through either SMS or Symantec’s Validation and ID Protection (VIP) Access app. I called and asked if they support another app and they said they don't. Why they couldn't use another (read: non-Symantec) 2FA is beyond me.
I just went and checked because I was excited to set this up. Navy Federal has email, SMS and OTP through their app. USAA has email, SMS and OTP through their app or Symantec VIP. I wish either one would allow the use of U2F or TOTP.
