"Many consumers assume every bank requires 2FA, but that's not the reality," said Gregory Shein, CEO of Nomadic Soft.
A May break‑in that started with a flagged retirement transfer
The author describes a sequence in May in which the financial life of his 84‑year‑old mother was invaded by professional thieves. An institution that manages her retirement savings called after spotting a suspicious transaction; that account was immediately protected when she denied the charge. But at a separate bank she discovered thousands of dollars had been transferred out of her checking and savings accounts. The thieves used daily withdrawal limits and transfers to a "strange account" to extract roughly $30,000 from her bank accounts alone.
The attackers had also broken into her Gmail account and created spam filters to route any mail from her bank or retirement provider to the trash, ensuring she would not receive alerts about transfers or about fraudulent accounts created in her name. The first responses from the bank's fraud department were described as unhelpful and incredulous; staff asked, "Are you sure a relative didn’t do this?" After hours on the phone and navigating a phone tree, the bank eventually agreed to investigate and restored the stolen funds a few weeks later.
Which institutions require MFA — and which leave it optional
The piece names several large institutions and their MFA posture. PNC is cited as a bank that requires multi‑factor authentication, while Bank of America, Chase, Capital One, and Citibank are described as leaving MFA optional. Google accounts are also described as MFA‑optional. The author links these policies to a broader problem: many firms categorise additional login steps as optional because they are weighing security against customer friction, support costs, and conversion rates.
Gregory Shein summed up the commercial tension: some financial institutions "still treat it as an optional feature because they're balancing security against friction."
OTP versus passkeys: technical limits and rolling deployments
The article contrasts one‑time passcodes (OTPs) — delivered by SMS, email, or phone call — with cryptographic passkeys. OTPs are described as inherently flawed: attackers can perform SIM‑swap social engineering to receive texts, compromise email accounts that receive OTPs, or use phishing sites to harvest one‑time codes. A 2019 Microsoft article is cited that claimed MFA prevents "99.9 percent of attacks," but other experts noted to the author that figure can be exaggerated because determined criminals can bypass weak MFA methods.
By contrast, passkeys are introduced as "phishing‑resistant MFA." Passkeys use cryptographic key pairs with a private key on the user’s device and a public key on the server; to use the private key, the user must unlock it with a PIN, a physical security key such as a YubiKey, or biometrics. Passkeys cannot be phished or intercepted in the same way OTPs can. The FIDO Alliance is cited as saying banks including Chase, Wells Fargo, US Bank, and Bank of America are rolling out passkeys.
The author notes practical inconsistencies: Chase’s website offers OTP via email, SMS, or phone call, while Chase’s mobile app requires fingerprint or facial recognition — meaning the stronger control exists only on one access path. As Andrew Shikiar, CEO of the FIDO Alliance, put it: "OTP is just another password."
What this means for technologists, policymakers, and end users
- Technologists and security teams: the account compromise described highlights the danger of uneven controls. Enabling phishing‑resistant credentials such as passkeys and applying the same protections across web and app entry points are presented as concrete technical priorities.
- Policymakers and regulators: the Consumer Financial Protection Bureau's dispute framework is cited as part of the remediation landscape — consumers have 60 days from a bank statement to dispute transactions, and banks have 45 days to investigate unless the account was newly opened or the fraud occurred outside the U.S. The author notes banks may still refuse reimbursement, making litigation a likely next step for some victims.
- End users and the general public: the narrative stresses basic account hygiene and adoption of stronger authentication when available. The author's mother had reused similar passwords across services and had at least one account disclosed in a prior data breach — conditions the author links to the attackers' ability to pivot among her retirement account, bank, and email. Where offered, passkeys are presented as a markedly safer alternative to SMS/email OTPs.
A pointed finish: convenience vs. protection
The column frames the core tension bluntly: "Banks and other financial institutions know better. Google knows better. But they're all putting convenience ahead of security when it's your money that's on the line." The author quotes Andrew Shikiar's outlook that mandating passkeys may not be immediate, but that pushing them will "become really something that's either required or essentially required." And, in the author's own summation: "That time should be now."




