An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.

Google voice is not special hardware. You’re confusing attestation with 2fa and that’s why you’re getting downvoted.

Yeah but Google Voice isn't something you're meant to use to receive SMS codes. That's very US specific, and if you go there you've undermined the security the bank was trying to provide.

The reason they used SMS codes for a while is because phones have always tried to block malware from reading your screen or SMS storage whereas PCs don't, and because phones can do remote attestation protocols to the network as part of their login sequence. The SIM card contains keys used to sign challenges, and the network only allows authorized radio firmwares to log on. So by sending a code to a phone you have some cryptographic assurance that it was received by the right user and viewed only by them.

2FA and RA are closely related for that reason. The second factor is dedicated hardware which enforces that only a human can interact with it, and which can prove its identity cryptographically to a remote server. The mobile switching center, in the case of SMS codes.

Obviously, this was a very crude system because malware on the PC could intercept the login after the user authorized, but at least it stopped usage of the account when the user wasn't around. Modern app based systems are much more secure.

The SMS stuff seems like theatre when SS7[1] has been known to need a nuclear-powered auto bailer for how porous it is.

[1] https://en.wikipedia.org/wiki/Signalling_System_No._7

... which is why none of the banks I've used support it for many years now. It's a legacy example. Modern banks all rely on apps that bind to the secure element in the phone or they issue a smartcard reader.

Not all modern banks, e.g. Santander Bank in Poland still uses one-time SMS codes.