Is there a US bank (national, not a local credit union) that allows you to use TOTP, U2F and backup codes as your sole 2FA sources? Heck, the US Government lets you do it now (https://login.gov), you think that BofA would...
Looking at that link, pretty much none of the major US banks (Bank of America, US Bank, Wells Fargo, PNC, Chase, etc.) seem to support software 2FA token solutions (e.g., Google Authenticator, Authy, etc.). Not gonna lie, this is abysmal.
My understanding from the situation has been that banks don't care because in a checking/savings account, it's your money getting stolen, not theirs.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.
The vendors foot the bill for credit card fraud, and end up paying transaction fees both ways. I used to work for a company whose website was found by some entity in the stolen credit card ecosystem to be convenient for making small purchases to validate stolen cards. The bank / credit card processor was in a much better place to make fraud decisions, and yet somehow all of the risk was on us and the credit card processors actually made better profits due to the fraud. Incentives are badly aligned.
In most cases checking/savings account hijacking would have little or no loss to the customer (usually there is a time frame the loss has to be reported by and there may be a low minimum fee of $50 or so).
There would be no raw financial loss at the end of the day, but there sure is a lot of time loss involved for both parties. It gotta cost not a non-zero amount of money to deal with all those issues, while with a proper 2FA all those costs would be pretty much cut to zero.
Robinhood impressed me by supporting both strong passwords AND 2FA with Google Auth. They haven't rolled out cash management accounts yet but I think they will my financial center once they do.
I think Fidelity does allow this, but I haven't bothered with it since I use a password manager.
Fidelity has a brokerage account, free checks, free ATM withdrawals via debit card, maybe also your 401k, free money wires, automatic investment etc.
The only thing they don't have are branches where you can deposit cash, but that's really never necessary - in an extreme case you can open another bank account, deposit cash, transfer to fidelity and immediately close it.
I'm not sure why anyone uses a bank other than Fidelity.
Fidelity does it through either SMS or Symantec’s Validation and ID Protection (VIP) Access app. I called and asked if they support another app and they said they don't. Why they couldn't use another (read: non-Symantec) 2FA is beyond me.
I just went and checked because I was excited to set this up. Navy Federal has email, SMS and OTP through their app. USAA has email, SMS and OTP through their app or Symantec VIP. I wish either one would allow the use of U2F or TOTP.
Honestly, what is a good US bank that has a great web/mobile experience, a large financial offering (checking, credit, savings, investment, etc...), great customer support, a good presence internationally, reasonable and no hidden fees.. wait there is none.
I don't think it's fair to assume weaknesses from 6 years ago still persist.
* I just tried to login with the first 8 characters of my password and it was not successful.
* Also this password is autogenerated and contains plenty of special characters.
* Their 2FA system no longer depends on the concatenation of password + token.
Also this reminds me of another HN discussion[1], which basically boiled down to the question of "Do you really think the only thing the bank does to log people on is to check the username and password?" I certainly hope not.
Robinhood for checking/direct deposit/ATM access and small DIY investments, Wealthfront for retirement accounts and savings/emergency fund, Apple Card for payments. Beautiful interfaces, non-SMS 2FA on all, fantastic customer service. I do this and I can’t think of anything else I’d need. The only fee I pay here is Wealthfront’s 0.25% management fee, but I don’t mind since it’s such a great service.
Robinhood is a brokerage but they deposit uninvested balance into normal banks so they are FDIC insured and pay interest, and you get a physical MasterCard debit card. Used to be 1.8% but the coronavirus happened and now it's 0.3% :(
They use normal TOTP for 2FA so it'll work with whatever authentication software you use.
However they follow the modern tech trend of not having live tech support; you have to email them for support. But I've heard response times have gotten better recently.
I moved most of my money into RH for the interest, but still maintain Chase checking and credit card accounts. For sonething as important as banking, there's no substitute to having tons of physical locations with humans. For example I recently went to the bank to deposit tax refunds, which were not 'normal' checks. I don't think you can even deposit normal checks into RH. And I trust Chase's fraud protection systems more than RH.
It's the same bank that doesn't send you spam emails which make you used to receiving unsolicited communication from your bank. These emails make it easier to sneak in phishing emails. That's why I use that bank.
Correcting myself in case anyone reads this: that seems to have been true in the past but they are moving investing to charles schwab and victory capital (separate companies). So long-term I wish I knew if that is nearly as good as not in the ways that matter for this discussion.
