Why do banks have 2FA through SMS and not through authenticator apps?

Just wondering, TOTP/2FAs are very imp.
While logging into your bank account, they send an OTP through SMS where SIM swaps and SMS can be hacked.

So, if not for everyone why is there no option for us to opt for a TOTP kind of authentication like authy/google authenticator etc. (in banks and other financial institutions?)

Isn’t this more safer ?

I don’t know why they don’t but here is my reasoning…

  1. 2FA via Authentication through Apps can’t be implemented for all users, as many bank a/c holders doesn’t have Smartphones. Senior Citizens and few others might not be comfortable & quick enough to Read, Verify and Enter TOTP from app in less than 1 min.

  2. There is legal issue of storage of this confidential data and storage location (Some apps store & sync the Seed data). Once data is saved, the accuracy, availability and security of the data is beyond the control of User and also of bank. The algorithm used by apps and their implementation and frequent bug fixing will be controlled by App Provider.
    This might result in locking out user from access. This causes panic and loss of reputation for bank.

  3. Few banks tried this approach using their own app or separate TOTP devices. But price tag ~Rs.1000 for TOTP device limited the popularity.

  4. Many banks use Security Questions approach for their MFA (Multi-Factor Authentication). And they think it is secure enough.

  5. Besides any problem/bug in these authenticator apps, can bring down the system to a halt. People might not knowledgeable enough to detect & understand that there might be a bug within the app, and instead might flood bank helpline. Whereas in SMS based TOTP system bank can resolve the issue and resend the new TOTP.

YES this SMS based OTP authentication is insecure and vulnerable to hacking.

So in short banks have SMS based system, they don’t want to change it. Because change will require additional work, have to answer legal questions and also have to educate their customers.

Their philosophy might be: if it ain’t broke, don’t fix it.

BTW there is an idea I have which is related to this problem. Anyone having sufficient knowledge in implementing it should give a try.

The major problem the customers of banks and other services storing confidential data facing is Social Engineering Scams. Where scammers can customers and ask for things like OTP or Debit Card details etc. Right now there is no way to cross-verify whether caller is actually Employee of the company you have account with or scammer/con-man/woman. (As someone mentioned earlier to me ICICI bank notify their customers if they are going to call. But then again that is not solution. As if they Text the notification then there are already instances of many scams using similar looking Bulk SMS ID. And if they call to notify then we are back to our original problem.

The solution can a kind of Reverse 2FA system. Where bank can add facility of authentication in their Internet Banking App or standalone app. In this the caller provide customer a 6/8-digit code which one can enter in their app and verify. I wouldn’t go into the details of implementation or use of Public Key Pair.

To use this facility bank can use a common seed to generate TOTPs at both ends (on their side and in their app) continuously and when one receive call from bank he/she can just match the code.

2nd way might be fixing & publishing their telephone numbers used for contacting customers on their website and in their app. But this might not work today as banks use VoIP or web based systems.


I advise my parents to gather info about the issue, don’t give any info, hang up, and call the local bank manager to determine and if true, resolve the issue.

Then being senior citizens help :joy: