Based on the discussion here:
I would like to suggest the removal of SMS for any and all forms of authentication as it is an incredibly insecure way to log in to a financial product.
SIMjacking is a serious and very frequent issue, very easy for a scammer to accomplish and can take over financial products and email accounts fairly easily, if the user has not secured them in other ways.
Cyber security experts all the way up to the GCHQ keep warning against using SMS for any form of financial transaction verification, for example here is a tweet linking one such warning:
A lot more advice against SMS can be found from many cyber security experts.
It is admittedly not easy to design a secure login flow that is also user-friendly enough to not put off customers. The obvious choice of hardware tokens would be beyond most average customers (plus it necessitates extra expenditure on the customer’s end which is never a good thing to ask).
Nevertheless, banks have made it a habit of sending hardware devices (either TOTP generators or HOTP card readers) for web banking login, showing that they are taking security seriously, to the level of mildly inconveniencing customers in order to keep them safe.
Starling Bank has gone even further - you cannot login to the app on a new device unless you submit a video of yourself quoting a passcode that appears on screen. This takes a while the first time you do it (if you buy a new phone, factory-reset etc), but the app remains always logged in afterwards so it’s a very small inconvenience).
For the Curve app login, the first factor could be a password or email link. The 2nd factor could be a hardware token like a Yubikey (perhaps offered for free in paid tiers?), or a TOTP code (customers should be well used to these by now as a lot of online services use them and strongly recommend them).
This is obviously only for the first login to a new device; fingerprint or local PIN can be used from there onwards.
With regards to transaction confirmation, if 2FA were to be applied to them, an in-app push notification would be the best way to do this.