Why are banks still getting authentication so wrong?

It's 2025—Why Are Banks Still Getting Authentication So Wrong? 13 May, 2025 While recently traveling to the U.S., I was completely locked out of my TD Personal Banking account. TD relies heavily on SMS-based two-factor authentication (2FA) for customer logins. I had, quite reasonably, disabled my Canadian SIM to avoid the usual price gouging and roaming charges. Luckily, I had their proprietary “TD Authenticate” app installed, thinking it would serve as a viable alternative. But when I opened TD Authenticate, I had been logged out, and logging back in required, you guessed it, an SMS message to my now-inaccessible Canadian number. I had the authentication app. I had my credentials. But the system’s design created an inescapable catch-22. This is a textbook case of security punishing the user instead of protecting them. TD doesn’t offer TOTP support. No passkeys. No fallback email verification. Just a fragile, closed loop with a single point of failure, and one that failed entire ... Read full article.