[Trigger warning: redundant acronym RAS syndrome.]
This is known as the requirement for Strong Customer Authentication (SCA) for online card payments of the PSD2 directive. In the UK, my bank is offering three options for SCA authentication: SMS messaging service verification codes, a smartphone app and a stand-alone card reader that generates one-time codes using the chip in the payment card and the user’s PIN number. The card readers have been around for years as a way to authenticate with online banking services, but not all banks issue them. They look a bit like pocket calculators and run off a coin cell. Do banks in other countries offer card readers?
Other authentication methods offered by UK banks include telephone call to a registered number, and there seem to be murmurs about using email instead of SMS. Even the requirement to use any kind of mobile phone for authentication has resulted in complaints from the public, either because people don’t have any mobile phone at all, or because they live somewhere where there is no phone signal. There has been discussion of it on the BBC Radio 4 personal finance programme “Money Box”. People have also pointed out that SMS is not a secure authentication method.