It gets worse, the banks I use have phased out sms for 2FA. Only using their app on a non-rooted phone is allowed. So getting a dumb phone doesn't work either.
What's even worse that these bank apps always force an update to the latest version, which also sometimes requires updating the OS of the device. Then you are captive audience so they don't care about UX or your experience, so e.g. at my bank confirming an action takes three taps: "confirm" button inside the app, then checkbox with some kind of consent they always sneak in (dark pattern), then the "yes" system popup.
SMS for 2FA is being phased out due to security concerns, but I don't get why they aren't using plain TOTP, so you can use any authenticator app you'd like.
My bank did solve the issue in a pretty clever way though. Their phone app is so terrible that I refuse to use it. Sadly there new web version is also terrible, e.g. you can't copy paste when doing a transfer, so rather than being 100% sure the amount is correct, you get to type it in and double check it.
> but I don't get why they aren't using plain TOTP, so you can use any authenticator app you'd like
Compared to the non-app solutions I'm familiar with in Germany, TOTP lacks at least two things:
1. There are no guarantees as to what happens to the shared secret (whereas at least some of these alternative solutions use your debit card as a smartcard to securely store the secret). From an individual point of view I guess that's perhaps a welcome trade-off (no backup solution except for manually registering a second key everywhere is part of the reason I'm not keen on Yubikeys and the like for replacing all my logins), but banks might have differing opinions.
2. Perhaps more importantly, you can't really authenticate the individual transaction, because the TOTP is only based on the (fixed) shared secret and the current time. The TAN generator solutions I'm familiar with on the other hand also include the destination account and sum of money to be transferred in the TAN calculation (and those get displayed for confirmation on the TAN generator's display), so a malicious website impersonating your bank's online banking can't forge those things.
> Perhaps more importantly, you can't really authenticate the individual transaction,
> also include the destination account and sum of money to be transferred in the TAN calculation
Which banks have it implemented? You are giving them too much credit. In most cases their 2FA is simply code consisting of digits or tapping multiple "confirm" without any context inside of their losy apps. In my personal anecdotal experience only SMS 2FA contain some additional information what exactly are you confirming.
In Germany all banks here (https://www.kontofinder.de/ratgeber/tan-verfahren-ueberblick...) that are listed as supporting chipTAN [1], plus probably most of those that are listed as supporting photoTAN [2] allow using a hardware photoTAN generator instead of an app, too (though sadly some banks like Ing-Diba require their own proprietary photoTAN generator instead of a standard photoTAN-device as supported by some other banks).
[1] That one is using your debit card as a smartcard for the shared secret.
[2] That one requires the shared secret to be transmitted to you in some form (probably a QR-code or something similar in a letter) and set up in the photoTAN generator app/hardware device on first use.
