It would be lovely to have that in the U.S., but I doubt it will go anywhere anytime soon.

I'm sympathetic to the reasons. The U.S. has a massive population of people who for various reasons will not or cannot adopt methods other than SMS, if that.

Meanwhile you can call up some of our largest financial institutions and impersonate someone with public-record knowledge. Many organizations will allow you to skip any kind of over-the-phone SMS challenge by asking for -more- publicly available knowledge to "better"/further authenticate the caller. And of course all our Social Security Numbers are effectively all out there, and those are still the de-factor identifier where a phone number is not.

I used to do business with Vanguard. Several years ago they rolled out U2F-then-WebAuthn support so you could use a Yubikey or other FIDO2 compliant token as your MFA method. They allowed you to disable SMS MFA if you did that. I happily enabled that. Within two years, they re-introduced a requirement to enroll a number for SMS MFA on the grounds that their mobile app only supported codes delivered by SMS, and there was no opt-out. If you didn't enroll a number you'd be locked out and have to call customer service to add a number and reset your password.

Still funny to hear that everyone in the US has a social security number, although there is no public healthcare for everybody. And I always thought it's the land of unlimited freedom, doesn't seem to apply to privacy.

I have a social security number too, but I need it to get free (actually less expensive) healthcare. Not for opening a bank account. I think in my country nobody except health care is allowed to process social security numbers, because it's considered private information. They are not allowed to store them. If they get them by accident they need to delete them ;)

That's either recent or wrong, I'm in the UK and certainly they're not new since 2019 or whenever we left (I was going to say 16 but I realised that was the vote not actual exit, but longer than that anyway).

I think the last extended deadline of PSD2 was end of 2020, so after Brexit.

And it's not unheard of, that some countries just ignore EU regulations. Especially if they are going to exit the EU before they can be fined ;)

We have PSD2 though; I think we're voluntarily (or perhaps conditional in the exit negotiation) signed up to it anyway, perhaps so that 'open banking' works internationally still?

Just from a cursory 'psd2 sms multifactor' search, I can't see anything definitively saying it's not allowed though? I can see 'must use secure MFA' (implying it might be pretty open to interpretation) and blogspam type sites saying 'the short answer is yes [SMS can be used]' or 'can be as simple as implementing SMS and voice'.

This one seems reasonable - https://www.onespan.com/blog/psd2-end-sms-based-authenticati... - and though his opinion is that it's not up to scratch, it does make it seem like it comes down to interpretation and your willingness to defend your position. Unless you know that it literally says 'must not use SMS' now?

Two examples I can think of are Santander, and NS&I (run by UK gov). The latter might not be a 'payment service' though I suppose (savings accounts only). I think NewDay (rebadged credit card aaS provider) too.

I can cleary assert that is not the case in all the European countries where I have bank accounts.