Some do, but their backend systems are still vulnerable. Most folks here on HN would not believe me if I said that many of the back-end systems do not use encryption. There are still many automation jobs that use clear-text FTP on the WAN and for some jobs, even across the internet.

You think that's bad, huge banks are still doing this shit:

https://www.reddit.com/r/canada/comments/978l87/bmo_web_bank...

https://en.wikipedia.org/wiki/Bank_of_Montreal

Here's the password requirements for Coast Capital Savings:

https://www.reddit.com/r/VictoriaBC/comments/92e7cf/coast_ca...

https://en.wikipedia.org/wiki/Coast_Capital_Savings

Yeah, this list is still pitiful: https://twofactorauth.org/#banking

Some do. Of the four banks where I currently have accounts, only one uses SMS-based 2FA codes; the other three all provide chip-and-pin card readers or similar gadgets to generate transaction-specific auth codes.

and, the banks that support 2FA need to figure out a way to keep supporting their data subscription services. there is no good OFX for 2FA