FWIW, I have 4 "banking" accounts, 3 of which are major American banks and one is a local credit union. The latter is the ONLY one to offer 2FA via TOTP while the major banks only allow SMS or email 2FA.
I'm still a little salty about Blizzard handing out free TOTP fobs at conventions and implementing an iOS app to do it, years or even a decade before financial institutions offered anything.
It's a fucking game, protecting against gold farmers. How about protecting my non-virtual gold?
I mean, they could do that because, with few hard legal obligations to you, their own internal assessment that implementing TOTP has a good chance of cutting support load and probably won't cause too many problems is Good Enough to move forward with it.
Banks have to price in the risk that, if something does go wrong, they could have regulators on their back. And uh, have poor incentive structure wrt being perfectly allowed to do everything by the book and slipping responsibility if the book is just wrong.
I don't know why (maybe criminals are more likely to go for your WoW account assuming the legal consequences are less) but I would advise all companies to examine how Blizzard, Valve, and others handle account security.
I work for Twitch and previously worked in AAA games. People are often surprised, even coming from Amazon or Banking, how much Gamers try to 'hack' thinks. Gamers are used to trying to find edges in the system. Gamers are pretty tech savy. i've had several people ignore my advise that we would be looking at a whole nother level of people trying to game the system when working with gamers.
