the main issue is the bank using sms and OTP apps instead of something like passkeys and mandatory in bank setup.

One of my banks uses a card reader and pin to log in, seems more secure.

	▲	microtonal 2 hours ago \| parent \| next [-]
		Pins can still be phished. Just make the phishing a live proxy resembling the real site. A fundamental difference with e.g. FIDO2 (especially hardware-backed) is that the private credentials are keyed to the relying party ID, so it's not possible for a phising site to intercept the challenge-response.
	▲	thefounder 43 minutes ago \| parent \| prev [-]
		That’s just as bad. You need to take out the human error out of the equation.