Currently 2FA (legally known as "strong customer authentication") for logging to payment services (like banks) when one wasn't performed in 90 days is required in EEA.
IMO implementing the bare minimum this does nothing for security. However, often banks do that, and even if you try to look intentionally suspicious (say, use a VPN in United States with another web browser on another operating system) they don't care and won't ask you for 2FA.
IMO implementing the bare minimum this does nothing for security. However, often banks do that, and even if you try to look intentionally suspicious (say, use a VPN in United States with another web browser on another operating system) they don't care and won't ask you for 2FA.