This is probably compliance-related. For me, TOTP isn’t “something I have”, it’s another thing I toss into my password manager and sync to all devices.

I really agree with it, but that’s probably their rationale.

Banks didn't support TOTP long before we were able to easily sync them across devices. It's likely more along the lines of banks generally have bad IT departments and outdated digital security policies.

The real problem is not having a (trusted) way of seeing what you are consenting to by entering a TOTP (which can be phished).

SMS-OTP, with all its downsides, allows attaching a message of who you're paying how much to the actual code.

That same rationale wouldn't support SMS as "something I have." iMessage and other solutions easily spread SMS into cloud and PC lands (ones that are more easily accessible than password managers.) More likely it's because of legacy and "good enough" reasons.

Personally I don't put TOTP tokens into my password manager and keep a dedicated app for it, just in case my password manager is pwned.

I'm not really defending it, I'm explaining the mentality. iMessage is probably closer to "something I have" but yeah, often not true for many American users.

I'd probably keep a TOTP app if I actually brought my cell with my everywhere but I really don't feel like it; if I'm heading to a cafe to work for a bit I might need to access something and can't be bothered to bring two devices.

Plus, people increasingly access stuff from cell phones, so it's not a guarantee of "something you have" anymore. And no shot we're convincing everyone to start carrying some kind of hardware token.

You have to remember that cybersecurity is driven by what is secure so much as what is compliant, and increasingly so.

I do the same, and it somewhat defeats the spirit of 2FA, but I still believe it's more secure. It's basically a second password where intercepting it in transit once isn't enough to be able to repeat the login in the future.

One time password.

Yes, a digital OTP generator is more susceptible in theory to theft or duplication than a hardware token.

Yes, the benefits of digital OTP are great compared to password only, more secure than SMS, and trivial to implement.

There are hardware TOTP tokens that don't allow export of the secret, that makes them something you have. For example:

https://en.wikipedia.org/wiki/Digipass

My bank sends me 2FA codes in their app, which I then have to type into... their app. No kidding. Both the key and the validation in the same place, really ridiculous. Even something as crap as SMS 2FA would be better. TOTP or FIDO2 would be miles better.

TOTP is alright for logins, but it's generally very phishable. For transaction confirmation, not being able to tie a code to a given recipient and amount is somewhat of a dealbreaker.

Fwiw, Symantec VIP is TOTP under the hood, and you can extract the seed with some hackery. There is at least one financial institution in the US that uses that.

Charles Schwab uses this. I was able to extract the TOTP secret during the set up process to use in my preferred auth app.

USAA. Better than nothing, but since it doesn't do push notifications it's a needlessly proprietary piece. It's probably a combination of legal and a slow IT infrastructure.

TOTP is only marginally more secure. It defends against sim swaps but it still loses to phishing, which is far more common than sim swaps.

But it is easier to backup and restore, is accessible without a phone, and can be used without cell service.

Those are usability benefits rather than security benefits and I really don't know if I'd use the word "inexcusable" for this difference.

And for the vast majority of people, sms is much easier to backup and restore than totp because there is an infrastructure to help them do so.

Although they don't offer TOTP, I've noticed growing support for Passkeys which is a step in the right direction.

By brokerage suports TOTP but not my bank. My bank does support Yubikey-type devices though.

Vanguard supports Yubikeys. I'm yet to use a bank (~8 of them so far) that supports anything other than SMS.

There is at least one major US bank that supports Yubikeys and a different major that one supports (with some convincing) phone notification-based second factor.

Copper State Credit Union supports passkey