In Singapore they give us a physical token. We have to enter the 2Fa we receive into it to receive a third code to enter into the website. Well I guess it's 3Fa. It is a bit of a hassle but better safe than sorry.
Yea, my wife uses a physical token generator now, and I use the app which is bound to my phone. Someone would have to physically have my phone (and unlock it) in order to access my bank now.
Are you sure your bank wouldn't allow someone to disable it over the phone like they allowed someone to change your password? People lose cell phones just as they forget passwords, so there is surely a way for customer support to deal with it.
Banks over here only reset those tokens with instructions sent to your known address. You can only change that address with a working token or showing government issued ID (which everyone around here has and is also required to open an account in the first place). At worst you need to send a copy by mail but going to a branch or post office or a video chat are more common.
Banks can always ask you to go into a branch for more important things like that. They do that in the UK. If you're not in the country, you can write a letter on paper and have the local police or lawyer confirm your identity. I've done that before. It's a nightmare but it eventually works.
In such cases the bank would offer to send new tokens by physical mail to the registered address or receive them in a branch with proper ID.
I recall a case where an important customer was stuck abroad with everything stolen; they were sent replacement tokens and cards to be received at the embassy, which could properly ID them.
Why can a bank have such a robust procedure for replacing tokens, and be trusted to follow it, but not have a similarly robust procedure for handling password resets?
They definitely can, but some of them don't, especially in USA for various reasons.
I mean, any bank with proper procedures doesn't really have the concept of "online password" that's sufficient to do anything and makes 2FA mandatory; I believe in EU now it would be forbidden for a bank to have simply a username-password authentication.
I think it's worth noting that while physical token is needed for adding new payees and changing transaction limits, it is not necessary for online purchases, which only requires sms verification (at least for DBS).
I think it's a fine approach balancing security and convenience.
