Multi-factor authentication (MFA) is the bedrock of modern digital security. Its principle is simple and powerful. As Wikipedia defines it, MFA is:

an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.

The key phrase here is distinct types of evidence. These factors are typically categorized as something you know (a password), something you have (a device), and something you are (a biometric). Any financial institution worth its salt implements MFA. Having opened many bank accounts in Switzerland, I’ve seen the full spectrum of authentication methods that are used here. They generally fall into one of these categories:

  1. Mobile-only banking apps with phone biometrics
  2. SMS-based tokens
  3. Authenticator app without additional user interaction (simple push)
  4. Authenticator app with additional user interaction (number matching, biometrics)
  5. Separate hardware device or a physical code list
  6. Passkeys

Unfortunately, the relentless drive for a “seamless user experience” has created a convenience trap. Many of these methods, while appearing distinct, collapse onto a single device: your smartphone. This consolidation fundamentally undermines the security promise of MFA, often degrading true two-factor authentication (2FA) into a fragile single-factor authentication (1FA).

Let’s analyze these methods against realistic threats that the average user faces:

  • Password Theft: An attacker obtains your login credentials, for instance because a site is breached.
  • Phishing: An attacker tricks you into authenticating on a malicious site.
  • Device Theft: An attacker physically steals your smartphone.
  • Malware: Your primary computer is compromised.

1. Mobile-only Banking Apps with Phone Biometrics

This is an increasingly popular model. You have a banking app on your phone, and you unlock it with the same biometrics (Face ID, fingerprint) you use to unlock the device itself.

While convenient, this is not true 2FA. The “something you have” (the phone) and the “something you are” (your face/fingerprint) are often both gated by a single, weaker factor: the “something you know” (your device passcode). For instance on an iPhone, you can register a new face for FaceID if you know the passcode.

Thieves actively exploit this by “shoulder surfing” a victim’s iPhone passcode before stealing the device. As reported by the Wall Street Journal, once a thief has your passcode, they can easily enroll their own face in Face ID and gain full access to your digital life, including your banking apps. Apple’s “Stolen Device Protection” is a step in the right direction, but it’s a mitigating control that isn’t enabled by default for all users.

  • Protection against Device Theft: Very poor if the passcode is also compromised.
  • Protection against Malware: The security sandboxes of modern mobile operating systems are strong. However, new convenience features create new attack vectors. With macOS and iPhone Mirroring, malware on a compromised Mac could potentially view and interact with your banking app on the mirrored phone screen. If your banking PIN is also stored in a password manager accessible on that Mac, the entire security model crumbles.

2. SMS-based Tokens

SMS as a second factor is notoriously insecure and should have been deprecated years ago. It’s vulnerable to well-known attacks like SIM swapping, IMSI catchers, and flaws in the global SS7 telephony network. Despite this, there are unfortunately major financial institutions (e.g., Saxo Bank with $133B client assets) that still enable it by default.

Convenience features pour gasoline on this fire. With notification mirroring (a standard feature in Apple’s ecosystem), an SMS 2FA code sent to your phone instantly appears on your paired—and potentially compromised—laptop or tablet. This completely shatters the illusion that SMS is an “out-of-band” factor.

  • Protection against Device Theft: Poor. A thief may be able to access the code without even unlocking the phone (depending on the notification settings). At least they still need the password for the bank account, but this may be available with the passcode (e.g. when it is stored in a password manager), resulting in the same threat as mobile-only banking apps.
  • Protection against Malware: Can be flawed due to notification mirroring / similar features.

3. Authenticator App Without Additional User Interaction

This method sends a simple “Approve” or “Deny” prompt to your phone without requiring any other interaction from the user. Only a few banks in Switzerland use this method.

Like 1 and 2, this can be susceptible to device theft and malware depending on the configuration.

4. Authenticator App With Additional User Interaction

This is an improvement over 3 and used by most banks. Instead of a simple “Approve” button, the app requires a specific action on the phone that can’t be easily automated from a mirrored device. Common methods include:

  • Biometric Verification: You must authenticate with Face ID or your fingerprint within the app to approve the login.
  • QR Code Scanning: The banking app on your phone must scan a QR code displayed on the other device’s screen.

These methods ensure the user is actively engaged with both devices, thwarting simple malware attacks via screen mirroring.

  • Protection against Malware: Good.
  • Protection against Device Theft: Still a concern. If a thief has your phone and your passcode, they can re-register their own biometrics and approve transactions. It’s a higher bar, but the single-device vulnerability remains.

5. Separate Hardware Device / Code List

The old-school, air-gapped solution. This involves a dedicated card reader or a physical list of transaction authentication numbers (TANs). While this method was very common ten years ago, it has unfortunately fallen out of favor. There are a few institutions that still support it, for instance Interactive Brokers if you hold more than $1M in assets with them.

From a security perspective, it is robust. It creates a true physical separation of factors. Malware on your phone or computer cannot jump the “air gap” to infect a disconnected card reader.

  • Protection against Malware: Excellent.
  • Protection against Device Theft: Good. A stolen card reader is useless without the corresponding security card and PIN. You typically do not have them with you all the time and can store them in a secure place.

6. Passkeys

Passkeys, particularly when bound to a physical security key, are the gold standard for authentication.

Their primary advantage over all previous methods is phishing resistance. A Passkey is cryptographically bound to the website’s domain where it was registered. If you are lured to mybank.phishing.com, your browser simply won’t offer the Passkey registered for mybank.com. This stops even sophisticated “phishlet” attacks dead in their tracks.

When a Passkey is stored on a dedicated hardware key (like a YubiKey), it solves our threat model almost completely.

  • Protection against Phishing: Excellent.
  • Protection against Device Theft: Excellent. The thief needs to steal not only your phone/computer but also your physical YubiKey and it needs to know its PIN.
  • Protection against Malware: Excellent. The private key is designed to be non-exportable from the secure hardware element.

Unfortunately, most banks have been slow to adopt them.

Recommendations

Navigating this landscape requires a deliberate security posture. Here is a ranked list of choices, from best to worst:

  1. Hardware-Bound Passkeys: If your bank supports Passkeys, using a dedicated hardware key like a YubiKey is the most secure option available today. It provides the strongest defense against all threats discussed.
  2. Separate Hardware Authenticator: If Passkeys aren’t an option, a dedicated, air-gapped device from your bank is the next best thing.
  3. Having a Dedicated “Banking Phone”: A viable strategy is to use a dedicated smartphone for nothing but banking apps. Keep it offline when not in use, install no other apps, and do not link it to your primary Apple or Google account. This recreates the “air gap” in a modern context.

Conclusion

For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise. New convenience features like iPhone mirroring weaken the boundaries between different devices.

Of course, users can take mitigating steps like enabling Stolen Device Protection, being vigilant about phishing, and choosing better authentication methods when possible. However, I think we should have safe defaults for the average user and that this is the ultimate responsibility of the financial institutions.