High security services should send a pair of U2F keys to each and every customer when they sign up (or hit a retention/value threshold), with instructions on how to store them (that is, different buildings). Then they can use normal app-based 2FA day to day (NOT TOTP as that is phishable), and use the preenrolled U2F hardware tokens as recovery methods when the user inevitably loses their phone and needs to re-enroll their primary 2FA device (the service app on their new phone).<p>Falling back to SMS to reset 2FA, or Skype calls where you hold up your ID with a CSR or whatever is just asking for shit like this. In bulk the hardware is probably <$5/token, so well under $10/user (probably closer to $5/user even for a pair of tokens). If your CLTV for your high security financial service can’t afford that, go do something else.<p>This is a solved problem; the fact that financial institutions have not got on board with 10+ year old stable, cheap, widely available technology is a market failure caused by massive overregulation.<p>Nothing about this is hard, nothing about this is expensive, there’s just a pervasive attitude in financial technology circles of “this is the way we’ve always done it” or “this is the way everyone else does it”, even if those ways encapsulate a ton of waste and risk.<p>Even without the whole “n+1 tokens, used only as primary 2fa recovery” scheme, I don’t think there’s a single US retail bank that supports U2F even for normal 2FA login. It’s shameful.<p>This industry is so ridiculously ripe for disruption but it’s so heavily overregulated that nobody that doesn’t suck is allowed to enter the market. Simple was the first to try (and even they had to use a partner bank) and they got erased via acquisition (and I think subsequently shut down).