Originally Posted by
invisible
Seems it is implementation dependent because 3D secure in Asia means SMS code only.
Exactly. It is up to the issuing bank what they want to ask for on the 3D Secure page.
One time passwords make the most sense (though SMS isn't necessarily the best way to get those). Or a FIDO U2F USB token, but that would be the day.
Most banks though just use more knowledge. Or nothing. Sigh.