This seems like such a simple problem to solve on the institutional level. Allow a person to have 3FA. Two phone numbers being required to log in - yours and trusted person.
I would have that setup for my parents so that if they ever called me for the 2nd code, I could ask questions about why they need it.
While I’m not too worried about my 83 year old mom, she is more tech savvy than most and has been using computers since 1986, I do worry about my dad if my mom passes first. He’s a lot more gullible.
You could reduce it to a single hardware security key without a password and it would be more secure. The problem—in this case and in general—is using passwords and OTPs for anti-phishing; with a hardware key, there is no way for the phishers to gain access to the account (without being in the room or in possession of the key), even if they successfully convince their victim to log in.
There are scams where they tell the user to do stuff themselves even as far as to tell the victim to take all of the money out and deposit it in a bitcoin account
This is silly. If the person believed this was the bank the 3rd code would be used. Best answer is don't answer phone calls and force people to send letters.
I would have that setup for my parents so that if they ever called me for the 2nd code, I could ask questions about why they need it.
While I’m not too worried about my 83 year old mom, she is more tech savvy than most and has been using computers since 1986, I do worry about my dad if my mom passes first. He’s a lot more gullible.