I thought they still did for website flow at least. Bizarrely we seem to think that phone apps are infinitely secure and don't need the extra step because biometrics?

Isn’t it because the assumption is that a mobile device is personal in 99,99999% of cases while it’s common (less now than 15 years ago) with shared computers in libraries, schools, etc.