Ask HN: Why doesn't any US bank use TOTP MFA? (2024)

It's important to realize that for banks IT is a cost center.

Sorry, that argument doesn't float in the overall scheme of things.

TOTP is easy to implement, more secure and costs less to operate than SMS verification --- which is widely supported by banks and in many cases is really nothing more than TOTP codes transmitted across the cell network.

If IT cost was really the issue, TOTP would likely be the universal default option.

> It's important to realize that for banks IT is a cost center

Is this a US phenomenon? Where I live, banks are routinely promoting how they are more modern due to their tech. It's far from a cost center and has been like that for at least 2 decades now.

It's important to realize the time value of money.

"Tech" means faster, easier transfers and processing. This is great for consumers --- but not so great for banks.

Banks make a lot of money from "float" --- the lag time between the initiation of a transaction and it's actual completion. The delay between the point in time where money is withdrawn from the sender's account until it is actually credited to the receiver's account. In many cases, this is a day or more in the US.

Bottom line --- most US banks have billions of dollars just "floating" on their books --- continuously. This is someone else's money that the *bank* can earn free interest on.

"Tech" (aka instant transactions) threatens to eliminate this source of income for banks.

> ... <insert nefarious conspiracy here>

... retain customers and their money within bank accounts so they can lend it out and make money off of it.

Turns out it's not very nefarious, just normal profit motive. Banks make money with Zelle that they'd lose if you Venmo'd money to your fitness instructor who kept it in their Venmo rather than immediately depositing it into a regular checking account.

Do people actually have nefarious conspiracy theories about Zelle?

Have you tried to use it?

I know the link is there, but last time it took me to pages where you were instructed to install the app

There's verbiage all over the site about a "new look" so maybe it is rolling out slowly to sections of the customers.

Mine currently looks like this: https://imgur.com/a/iFDVVwl

I think it's both the security vs availability balancing act and the view of IT as a cost center.

From a cynical, cost-oriented point of view, they don't care how free LinOTP, PrivacyIDEA, or any of the libraries that implement TOTP are. They're starting a death march project to license the most expensive proprietary software they can get, then spend a truckload of money on consulting/contractors to finish the job, and finally bleed money on a bunch of maintenance contracts. Once it's in place, they have to deal with the support burden of helping people recover their accounts. Much of that is transferred to email/phone providers since for the average person, it takes a special kind of negligence to irrecoverably lose an email address or phone number. TOTP seeds and backup codes are a bit easier to lose.

On the more optimistic side, it's probably a coverage and time thing. My guess is that around when banks started to get interested in securing their on-line banking offerings it was in that time before smartphones were widespread and OTPs required physical tokens. IIRC HOTP and TOTP didn't get standardized as RFCs until 2005 and 2011 respectively. Smartphone penetration wasn't at 50% in the US until around 2013. While TOTP would be objectively superior, mail/sms two-step is better than single factor auth, so the banks probably just went with what they felt would remove the most barriers to adoption. Plus the sales and marketing people (NOT cost centers) would have been sending emails and texts out to people for years already.

Wells Fargo’s CEO portal gives you a choice between their app and hardware RSA tokens, I have one with their logo like this https://decovar.dev/blog/2018/09/09/wells-fargo-2fa/

Most banks can't use TOTP because union agreements prohibit their members from using it.

Schools First in California, City National Bank of Beverly Hills, and all military credit unions use TOTP.

True, it's the closest I've seen. Actually yes, it is TOTP though on the backend it's Symantec VIP.

Which makes it the best out of the bunch by this metric. But why not a generic TOTP like any other site?

My broader point is about how simple and generic and yet effective this tech is. Every bank has a proprietary or inferior form of 2FA. In 2023, I'm surprised it isn't more advanced.

Email and SMS are legacy. Some banks do use TOTP the same way.

The issue with TOTP is that it’s a shared secret, not a second factor. TOTP auth is two step.