It's 2025–Why Are Banks Still Getting Authentication So Wrong?

Summary

It's 2025—Why Are Banks Still Getting Authentication So Wrong? 13 May, 2025 While recently traveling to the U.S., I was completely locked out of my TD Personal Banking account. TD relies heavily on SMS-based two-factor authentication (2FA) for customer logins. I had, quite reasonably, disabled my Canadian SIM to avoid the usual price gouging and roaming charges. Luckily, I had their proprietary “TD Authenticate” app installed, thinking it would serve as a viable alternative. But when I opened TD Authenticate, I had been logged out, and logging back in required, you guessed it, an SMS message to my now-inaccessible Canadian number. I had the authentication app. I had my credentials. But the system’s design created an inescapable catch-22. This is a textbook case of security punishing the user instead of protecting them. TD doesn’t offer TOTP support. No passkeys. No fallback email verification. Just a fragile, closed loop with a single point of failure, and one that failed entirely in a very foreseeable scenario. Despite years of progress in digital identity and authentication standards, many Canadian financial institutions remain stuck with brittle, outdated authentication flows that fail from both a security and usability perspective. In the case of SMS-based 2FA, it isn’t just inconvenient, it’s actively harmful. The Problem With SMS-Based 2FASMS has long been discredited as a secure second factor. As far back as 2017, NIST explicitly discouraged the use of SMS for delivering one-time codes. With CISA describing it as a “last resort MFA option” and “temporary solution while organizations transition to a stronger MFA implementation.” The problem is that SMS-Based 2FA leaves users vulnerable to cyber-attacks, as threat actors can exploit protocol vulnerabilities and use social-engineering to: Intercept 2FA codes sent via text messages Take control of a user’s phone number with a SIM Swap. Trick the user into revealing their 2FA code with phishing. In 2023, the Canad...