Ugh, my Austrian bank is currently trying to force me into using a system like this. The "standard" way is via an Android or iOS app, the "alternative" is via a smartcard reader thing that seems to work with Windows only.
They claim that this is mandatory due to some EU regulation, but they conveniently forget to say what regulation that is supposed to be.
> It's the Payment Services Directive (PSD2). Username+PW is obsolete and insecure at least 20 years now.
That does not imply that banks must implement 2FA with their proprietary applications.
Banks could just implement TOTP (Time-based One-time Passwords, RFC 6238) or HOTP (HMAC-based One-time Passwords, RFC 4226) and let me choose how I generate my OTP. For example with an hardware OTP generator or an open source application.
Most banks are using PSD2 as a occasion to force their privacy-invading apps on their users.
Absolutely not, I heavily dislike SmartID and similar proprietary spyware as well. A TOTP HW token would be in my opinion more secure. The reason banks use it though is the convenience, having some identity tied to the apps is just a bonus for them.
They claim that this is mandatory due to some EU regulation, but they conveniently forget to say what regulation that is supposed to be.