> First, and a no brainer: offer "continue with ____" sign ins (OpenID Connect / OIDC) for users of Google, O365, Apple, to get out of the account creds business for most users.* (See also: passkeys.)
Thanks but no thanks, the last thing I want is for Google to be in the chain for something as vital as banking. One false signal in Google's AI model and you're permanently fucked. Or someone compromising the email account (not just credential stuffing but e.g. cookie theft).
> Second, prefer TOTP as the MFA, not SMS.
People loathe app-based (or, even worse, RSA token-style) OTP, especially if they lose their phone or it becomes permanently damaged you're fucked unless you made a backup.
SMS in contrast? Even your 80 years old grandma can use that, and most common failure modes (i.e. stuff requiring support from you) are handled by the telco.
Thanks but no thanks, the last thing I want is for Google to be in the chain for something as vital as banking. One false signal in Google's AI model and you're permanently fucked. Or someone compromising the email account (not just credential stuffing but e.g. cookie theft).
> Second, prefer TOTP as the MFA, not SMS.
People loathe app-based (or, even worse, RSA token-style) OTP, especially if they lose their phone or it becomes permanently damaged you're fucked unless you made a backup.
SMS in contrast? Even your 80 years old grandma can use that, and most common failure modes (i.e. stuff requiring support from you) are handled by the telco.