It worked for every single card-issuing bank in Europe.
SMS are fortunately both expensive enough there to make them uneconomical for banks to use them as an OTP factor, and have been found too insecure for payment authentication by themselves, requiring a second factor.
This has practically lead to banks offering something more secure and/or ergonomic, e.g. bank-specific authenticator apps (which often work without internet, and always work without cell signal, e.g. when traveling internationally), hardware authenticators, WebAuthN etc.
> Let’s get cellular carriers to make SIM swapping harder.
No, let's get financial companies to step up their game and offer something not liable to both security breaches and locking out users (when traveling, losing access to their number etc.)
I wouldn't generalise an entire continent like that. Both my Bulgarian and Austrian bank accounts have SMS-based 2FA on online transactions and logins. Some banks in Bulgaria allow to use eSignatures as 2FA but afaik that has seen tiny adoption in the consumer space.
I don't know about Bulgaria, but in Austria, verification apps are very popular and I don't know many banks that still allow SMS-OTP for e.g. 3DS authentication or online banking transaction confirmation.
No bank is using (only) SMS as an authentication factor for 2FA. It's not allowed under the EBA's technical interpretation of the PSD2 regulation. Some banks do still allow it as a fallback option, together with another factor, e.g. a password or other knowledge factor.
My bank even made it a paid service, which I fully support – SMS is extremely overpriced.
I'm in the UK, so our implementation of the PSD2 regulation may be a bit different (in came in while the UK was leaving the EU), but I get SMS 2FA codes from American Express all the time in the 3D Secure process.
Some banks do still allow SMS by itself as the only authentication factor (presumably because they haven't got around to updating their solution or maybe think they've found a workaround), but it's not compliant with the PSD2 regulation in the EU at least. The solutions I've seen usually use a password or security question as the other factor.
SMS are fortunately both expensive enough there to make them uneconomical for banks to use them as an OTP factor, and have been found too insecure for payment authentication by themselves, requiring a second factor.
This has practically lead to banks offering something more secure and/or ergonomic, e.g. bank-specific authenticator apps (which often work without internet, and always work without cell signal, e.g. when traveling internationally), hardware authenticators, WebAuthN etc.
> Let’s get cellular carriers to make SIM swapping harder.
No, let's get financial companies to step up their game and offer something not liable to both security breaches and locking out users (when traveling, losing access to their number etc.)