I concur with this feedback @mpfl.

Ensuring account security needs to be a priority, and the SMS-based method used doesn't cut it considering the risk of interception in transit.

I went hunting for an earlier post of mine where this issue was discussed, and I can't seem to find it.

Personally, I would love the BOB app to have an in-built TOTP generator, or allow the customer to be able to register their own TOTP generator (using either supported hardware, or compliant software) using the BOB website.

This would solve a number of key issues BWA has with customers who they need to use the current Secure Code system with when travelling overseas to verify transactions.

TOTP would be the smarter move - given U2F methods are a little harder in the mobile space, given the dispartity of support across mobile platforms. The U2F method FaceBook is using, which is via the NFC reader on the mobile device will only work for Android and other supported device manufacturers. Apple 's devices do not currently allow installed apps to access the NFC circut for the purpose of reading data.

Going to TOTP would require only changes to the code based used for authentication, and wouldn't need wholesale redevelopment to support devices like U2F would.

The key thing I would stress is that any TOTP implimentation in BOB needs to be done like the Citibank model, where it's contained within the app once registered and the customer authenticated. The ANZ model, having a seperate app for providing their version of a TOTP code is a nightmare when the average user already has >100 apps on their device - simply no reason that such a small thing should be in a standalone application.