With the latest change to the BofA online banking bill pay service (which added all sorts of unnecessary and distracting icons and ugly fonts), the bank decided to remove the one-time password two-factor authentication (OTP 2FA) requirement to force the customer to perform a one-time password-based step-up authentication before allowing the change. Instead, by default, the system sends a notification to your email. You can also, optionally, turn on SMS text message notification for changes. However, customer technical support confirmed that it is not possible for a customer to optionally set SMS OTP 2FA or other 2FA (push notification to your mobile app, etc.). SafePass (the SMS or email or optional, $20 2FA token-based  OTP 2FA) is only used for authorizing “higher value” transactions. No definition of “higher value” is immediately available.

On a new computer, the site asks to answer your simple security questions and answers — that any hacker could find on social media (Facebook, LinkedIn, etc.)

In our opinion, this move clearly lowers the online security level of one of the leading retail banks in the US.