My bank uses the banking app for auth if I try and login via a browser.

Barclays in the UK offer (or used to) a hardware device with a keypad allowing the user to do a challenge-response using the bank card's chip and PIN. Not sure if they still do, though.

Edit: https://en.wikipedia.org/wiki/Chip_Authentication_Program

What if one doesn't own an android/iphone device? Banking is a fundamental need, so most countries regulate them to cater to a wide range of users. In this case it's possible that the bank could be compelled to provide you a 2FA device if you don't have one.

I don't think there is such regulation. Many banks simply do not have any other means of authentication any more. They can't give out 2FA devices because their systems just don't support them.

Good luck with that, in Germany many public transport operators are moving into app based tickets for the monthly/yearly subscriptions.

You can still get a plastic card, however it requires paying extra and some additional forms, the reasoning being it is not environment friendly.

Do they offer a physical 2FA device? Mine does and it's really useful

Unfortunately the EU regulation makes the truly user controlled 2FA methods essentially non-compliant.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Article 7 Requirements of the elements categorised as possession

> 1. Payment service providers shall adopt measures to mitigate the risk that the elements of strong customer authentication categorised as possession are used by unauthorised parties.

> 2. The use by the payer of those elements shall be subject to measures designed to prevent replication of the elements.

This says something along the lines of "it should be hard to extract the TOTP secret".

However if you can get so far as to get the secret from the TOTP app, you can as well back up the entire phone and restore elsewhere, can't you?

No, because phones that lock keys in hardware effectively prevent that, and that works only with hardware that prevents its owners from having full control an doing what they want with their hardware.

"Unextractable keys" works with hardware that you don't "truly own".

What if you truly want the security properties provided by a device which can keep keys in a way where you fully control their use but its extremely hard for anyone to extract them?

I mean case in point, this is exactly what a Yubikey does for people.

> That's because they're stupid or doing something suspicious, probably both

Small comfort for whoever needs to use that bank. This is the disconnect geeks and Free Software needs to bridge to make any headway.

I mean, I concur, but ultimately I can't fix shitty banks being shitty. No geeks can. Banks have been shitty for a long, long time.

Do you know how we usually stop them from being shitty? Forcefully, with legislation.

Sometimes it’s more complicated than that. And the other banks aren’t any less “stupid”.

Lloyds has perfectly good online banking through the browser. there, done the work for you.

Sorry, not available where I live and not the bank I can use for what I need. I won't give personal details but my options were limited for multiple reasons.