While recently traveling to the U.S., I was completely locked out of my TD Personal Banking account.
TD relies heavily on SMS-based two-factor authentication (2FA) for customer logins. I had, quite reasonably, disabled my Canadian SIM to avoid the usual price gouging and roaming charges.
Luckily, I had their proprietary “TD Authenticate” app installed, thinking it would serve as a viable alternative. But when I opened TD Authenticate, I had been logged out, and logging back in required, you guessed it, an SMS message to my now-inaccessible Canadian number.
I had the authentication app. I had my credentials. But the system’s design created an inescapable catch-22.
This is a textbook case of security punishing the user instead of protecting them.
TD doesn’t offer TOTP support. No passkeys. No fallback email verification. Just a fragile, closed loop with a single point of failure, and one that failed entirely in a very foreseeable scenario.
Despite years of progress in digital identity and authentication standards, many Canadian financial institutions remain stuck with brittle, outdated authentication flows that fail from both a security and usability perspective.
In the case of SMS-based 2FA, it isn’t just inconvenient, it’s actively harmful.
The Problem With SMS-Based 2FA
SMS has long been discredited as a secure second factor.
As far back as 2017, NIST explicitly discouraged the use of SMS for delivering one-time codes. With CISA describing it as a “last resort MFA option” and “temporary solution while organizations transition to a stronger MFA implementation.”
The problem is that SMS-Based 2FA leaves users vulnerable to cyber-attacks, as threat actors can exploit protocol vulnerabilities and use social-engineering to:
- Intercept 2FA codes sent via text messages
- Take control of a user’s phone number with a SIM Swap.
- Trick the user into revealing their 2FA code with phishing.
In 2023, the Canadian Centre for Cyber Security reiterated exactly this message, saying:
“Only consider short message service (SMS) codes as an authentication factor for low-risk logins. SMS is insecure as codes are sent in unencrypted form. An increasing number of cyber attacks involves threat actors intercepting SMS codes through SIM swapping, phishing or other social engineering attacks.”
https://www.cyber.gc.ca/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105
I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
Proprietary OTP Apps: A Marginal Improvement at Best
In an effort to move beyond SMS, some banks, TD included, have rolled out their own proprietary OTP apps rather than adopting the open TOTP standard (RFC 6238).
The result? Slightly better security. Significantly worse usability.
These apps often:
- Don’t integrate with password managers or platform authenticators.
- Require a login before you can generate a code, which defeats the purpose of an authenticator app.
- Offer no support for hardware tokens or modern passkeys.
Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
What Good Authentication Looks Like In 2025
A modern authentication flow in 2025 should be built around strong, user-friendly, standards-based mechanisms:
- Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
- TOTP Support: Let users use any standard authenticator (Authy, Google Authenticator, Microsoft Authenticator, 1Password, etc.).
- Hardware Security Keys: FIDO2 keys like YubiKey for users who want maximum assurance.
- Secure Recovery Paths: Trusted devices, or recovery codes, not SMS.
- Password Manager Compatibility: Seamless autofill and passkey support across trusted password managers and OS keychains.
Security Shouldn’t Punish The User
Authentication flows too often feel like they were designed in a vacuum, engineered by siloed security teams and product managers with no regard users.
If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
Banks Must Do Better
TD isn’t the only offender, but it’s a glaring example of how not to do authentication in 2025.
The refusal to support basic standards like passkeys or TOTP isn’t just an inconvenience, it’s a security liability that actively harms users and undermines trust.
There’s no excuse anymore. The standards exist. The risks are well-documented.
If your authentication flow still relies on SMS and a brittle proprietary app, it’s long past time for a serious overhaul.
Security and usability are not mutually exclusive. Achieving both requires systems designed with competence, foresight, and actual consideration for the user experience.
Postscript: Three Years Later, Still Broken
By the way, that trip to the U.S. happened three years ago. Nothing has changed since.
I’ve emailed TD about this issue (basically saying what I said in this blog post), we’ll see what they say.
And let’s be honest, this whole conversation is just touching the surface. The real progress starts when we talk about Self-Sovereign Identity, DIDs, and decentralized auth infrastructure.
But that’s a blog post for another day.
And don’t even get me started on logging into accounts at the Canada Revenue Agency.
#writing
