So, apparently #RegionsBank, which does not offer token or app authentication, uses easily-spoofed browser-provided data to determine whether or not to trigger its SMS #2FA authentication.
It's insane to me that a *#Bank* of all places could be such a failure on basic #DigitalSecurity measures.
Guess I need to start shopping around for a new account.
