As a TD customer, this is mildly infuriating. Is there any legitimate security rationale for forcing me to install their authenticator app instead of simply allowing me to use any industry-standard TOTP app (Authy, Google Authenticator, etc).
Not to mention the fact that they still don't allow hardware tokens / U2F eg. Yubikey.
I'd like to know as well. There could very well be some auditing requirement that forces them to explicitly generate the tokens sent to users, and the people enforcing the requirement have sticks up their asses. It wouldn't be the first time that the auditors foul up something because despite working as well or better than what they want, it's not what they know.
Not to mention the fact that they still don't allow hardware tokens / U2F eg. Yubikey.