Maybe it's a French law or something.

I've had business and personal accounts with SG, La Banque Postale, BoursoBank and CIC and they all worked with those 6-character "visual number pad" logins.

I doubt it. N26, which is granted a "new bank", doesn't have that, even though it now has an actual French subsidiary, complete with French account numbers. My password with them is way above 6 characters, and contains numbers, letters and symbols. The login page has a regular password field.

I think the others are just copycats. Someone must have come up with this first, and the others figured "yeah, that looks so secure, let's do that, too". If I had a penny for every CSO who justified some stupid "security" idea with "everybody does it, why shouldn't we?" I'd be so rich I wouldn't care about this crap anymore.

Surely that must afoul of some sort of French laws regarding accessibility?

How are blind people supposed to use this UI?

To be honest, I'm neither a web dev/designer nor do I have bad sight, so I admit I don't really know how accessibility works. I expect this to be compatible with screen readers somehow, they even say they take this seriously. But from a quick glance at the Accessibility tab in Firefox, I see many complaints about "interactive elements must be labeled".

Obviously, if the computer reads aloud the password as you type it, it's an absolute win for security, and I'm sure some PMs somewhere are quite content with a job well done.

For the curious, here's the login page: https://mabanque.bnpparibas/fr/connexion

La Banque Postale actually has a toggle button to make the computer read the code out loud as you type it.

It's no big deal... you'd need to be blind to miss someone nearby listening in!