> it's pretty rare for me to see a financial company offer the option to set up an Authenticator 2FA
As a data point, USAA (which is not the biggest bank, of course, but it is not tiny either) has supported TOTP for years. There are probably others, but at least some banks support relatively modern security.
My credit union supports TOTP. They also sent me a one time code generator thingy that I can use as a 2nd factor. Trouble is, there's a big link on the login screen that will allow anyone to bypass those options and fallback to SMS or email.
And the other weak link -- people. My wife had several thousand dollars stolen from her account at USAA because someone called and managed to convince the phone rep to give them the login name and reset the login password. You'd think this kind of request would end up in the security department (where presumably the base level of suspicion is much higher), but nope. Took them six tries to reach a phone rep that would do it. Again, you'd think that multiple consecutive calls and getting denied would cause all future calls to automatically end up in the security department, but nope.
The head security guy at USAA and I had a talk where he explained in some detail how it all went down. He was refreshingly honest, and they didn't balk at getting our funds restored, but still -- humans are often the weakest link when they can defeat all of your security precautions. Probably the bank shouldn't give phone reps that much authority, and always require a dedicated security team response for such unusual situations.
As a data point, USAA (which is not the biggest bank, of course, but it is not tiny either) has supported TOTP for years. There are probably others, but at least some banks support relatively modern security.