I’ve got the feeling that it’s spreading and is soon to become the default.

Another banking app has failed to identify me a couple of times (I attribute it to iPhone 17’s front camera distortion) and fell back to the snail mail id code as a 2nd factor. It arrived only several business days later. Instead of just letting me use my own 2nd factor such as a TOTP device or a physical security key. But maybe there are some legal requirements for that flow, I’m out of the loop.

So there’s a whole range between passkey-is-enough on one end and outsourced video id or snail mail for 2nd factor on the other. The latter can of course be misused to siphon as much personal information as possible out of you, even linking and scraping your other banking accounts for consumer profiling - designed as a requisite part of the authentication/authorization flow.