Meanwhile a bunch of crappy apps like $BANK1 use Symantec's implementation which is just TOTP with extra steps (there's a Python script out there that masquerades like a macOS device to get you the raw TOTP code) and $BANK2 & $BANK3 only allow TOTP inside their application (security through obscurity). Icing the cake, most that prompt for a third-party option say something like “Scan the code with Google™ Authenicator™” instead of using a generic term. Why is it so _hard_ for folks to support generic TOTP?

Fortunately you can undo these steps for $BANK1 and use your TOTP authenticator of choice: https://github.com/dlenski/python-vipaccess

e: I think you added a reference to this as I was writing my comment :)