There's a landlord/apartment portal where the whole login process has changed to be:
1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
It’s really rich when banking/finance apps are fully happy doing 2FA to the phone when using its own browser…
Yeah — loose the phone and it’s pretty much game over.
I don't think it should be the sites' responsibility to guess whether the browser session is the have device will receive an SMS message... The fact that it is SMS is already bad anyway.
Time-code apps or passkeys are a different story.
1. You should be able to make backups.
2. There's nothing to intercept in plaintext.
3. The all can (unlike SMS features) be locked down by default and require a second layer of unlocking, so that they usually aren't accessible to someone who grabs your phone out of your hand.
It absolutely should be the Bank's concern when this is how 99% of their customers will use it. Some even have deliberate integration between the baking and 2FA apps.