The security changes make the system more secure.
Although challenge questions were a good solution for providing extra security at one time, financial industry regulators have decided that challenge questions are no longer a sufficient solution for providing extra security.
The intent of the extra layer of security is to use multiple factors (which is why the extra security measures used by financial institutions are often referred to as multi-factor authentication or MFA). The three types of factors are something you know, something you have and something you are. A good MFA security system should use at least two of the three. So what does that mean? Usernames and passwords are something you know. Most institutions use “something you have” as the second factor. In most cases, the user’s own computer was used. If the computer was unrecognized, the problem became figuring out how to allow a user to verify the computer.
Pass codes help solve that problem. Your own phone or email address are “something you have” and allow you to authenticate using two distinct factors. But let me provide a bit of a warning: You are far better off you using a phone number as the second factor than you are using an email address. If a criminal has compromised your computer in such a way as to be able capture your username and password, they may also be able to capture your login to your email account. If you use only your phone for pass codes, you increase your level of security dramatically. Though pass codes through email are less secure, we allow them for practical reasons as not everyone has access to a phone when logging in to a new computer.