Skip to main content


So, my bank just required me to set up 2FA, which is fine... except that they did not give me any recovery codes. Nor have they provided me with any obvious means to obtain any.
in reply to Jonathan Lamothe

Have confirmed with them that recovery codes are just not a thing they support. Why are banks so consistently terrible at infosec?
in reply to Jonathan Lamothe

Oh hang on, it gets better.

Apparently signing into the app on my phone using biometrics seems to bypass 2FA. 🤦‍♂️

in reply to Jonathan Lamothe

My bank required me to set up 2FA. Via SMS. Only method available! So I did, but I wrote to an old friend (who happens to be their chief data architect) explaining why SMS was not the way to go. She spoke to somebody, and sure enough they soon grew the ability to use an authenticator TOTP in addition to SMS. Only issue now is: NO WAY to remove SMS as a valid method.

At least it doesn't reject a GVoice number, which is way safer than a real SIM-based phone in the wild.