Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.

As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.

Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.

Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.

SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.

SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.

If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.

[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.

How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.

FWIW: https://en.wikipedia.org/wiki/SIM_swap_scam

This is more like confused deputy than collusion (though that can happen as well), but nevertheless the end result is somebody else ends up with your number, and your device gets deactivated.

Show up in person with ID.

That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.

https://en.wikipedia.org/wiki/Direct_bank

We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.

Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.

Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.

Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.

> There is nowhere to show up.

There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.

MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.

Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.

You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.