[salusinarduis]

Some will, however I have heard some of these apps have janky hooks into Android's trust system which will break them on non-google distros.

Personally I wouldn't suggest having banking apps on a phone.

You can always use the web browser if you absolutely must access those accounts.

[Kubuxu]

Most banks in EU require phone app based confirmations for transfers and other operations (according to PDS2 directive).

Visa and Mastercard also introduced 3DSecrue system which piggybacks on the same system of confirmations. Vendors are incentivised to adopt it by lower rates.

In essence when paying with card or making a wire transfer (or using some instant transfer method, for example Blik in Poland), you get notification on you phone asking you to confirm operation, even if you initiate it from your account in the browser.

In essence Bank apps became 2FA devices. The only way to avoid it is to opt-out of the App 2FA and use paper one-time code pad. You regularly then get sent a list of codes by snail mail, which you have to type to confirm operations.

[gpvos]

It depends per bank; mine discontinued the paper OTP pad as well as the SMS codes, and gave me a separate 2FA device when I didn't want to use their app. I don't think banks can force you to have a smartphone yet.

[krageon]

> I don't think banks can force you

They can and do. There are a number of banks where you have absolutely no choice.

[jiggunjer]

you have a choice to not be their customer.

[krageon]

unless of course they are all equally bad :)

[bubblethink]

Does nobody in the EU do computers ? How do they pass asinine laws like this ? I mean, from the outside, it always appears as though the EU is much better than the US when it comes to consumer rights, but it always feels like they don't have a very good grip on technology.

[Delk]

Where I live, the authentication systems implemented by banks are also used for verifying user identity to various other services, including governmental ones.

Basically, there's a common (government-backed) user identification system which hooks up to interfaces that banks provide. When you're logging in to an online service that requires strict identification of the user (such as ones that would require an official id document if done in person), you first pick the bank you're using, and the service forwards you to the bank's website. Once you log in with your bank credentials, the original requesting website gets informed that you've provided valid login information, and the identity that the login matches with.

I don't know the exact technical details of how that works, but essentially the bank also acts as a user identification service for various official and governmental online services. It's treated as similar to proving your identity with a document, or to signing a document with your signature.

I don't know if this is a common thing in other European countries, but if it is, that might be a reason why the EU has an interest in enforcing 2FA.

You're not strictly required to use a smartphone, as at least my bank has other means of 2FA that satisfy the regulatory requirements, but they are more cumbersome.

[baal80spam]

> Where I live

Do you live in Denmark perchance?

> I don't know if this is a common thing in other European countries

There is a similar system implemented in Poland and works very well.

[gpvos]

I don't think this was driven by law, but by an appropriate wish to increase transaction security (you really shouldn't use SMS for this anymore).

There are some rules here that are nonsense, such as know-your-customer laws that force me to enter my home address even when the product or service (say, a concert or train ticket) is delivered to me entirely electronically.

Most of the move to purely electronic payment is driven by the market and the large banks; e.g. in the Netherlands we actually never had laws that force shops to accept cash as payment.

[bubblethink]

I agree that you shouldn't use SMS. My point was that unless the law (if there is one), requires that 2FA be enabled in an accessible way, the banks will do their own thing with the phone push notification system. The 2FA situation is quite bad in the US too, but a small no. of banks do offer TOTP.

[toastal]

This whole situation caused me to throw up my hands in Thailand and now I pay for most everything in cash since it's still a cash-friendly nation.

[inside_out_life]

It's hard to explain but Poland got hooked on mobile payments/banking, the adoption is very high and one of the major players is home grown.

[mateuszf]

Btw, I live in Poland, and I use my banking app for internet payments and NFC payments using Pixel with CalyxOS.

So it's possible to do that with some of the banking apps.

[robocat]

> separate 2FA device

FYI in New Zealand a few banks can provide a device (e.g. RSA SecurID) for proper non-bank 2 factor auth with consumer accounts. However some major banks only use phones for 2FA (app or SMS).

The norms seem to vary considerably depending on country.

[PostOnce]

Which banks provide a device?

[robocat]

I have had SecurID tokens for ASB and SBS accounts. I have been told Westpac does not provide secure 2FA. I am not sure about other banks.

[TeMPOraL]

Didn't know this was driven by PDS2. As much as I appreciate the convenience, I still find the whole drive fucking annoying - especially that, with all the talk about data portability, I still can't get a simple API endpoint I could point a script at to fetch me my account's balance.

Yes, I'm bitter. If there's ever a bank that puts end-user automation first, I'll switch in a second.

[herbst]

From all the banks I've tried over the years I always check for this feature, sometimes asked and never got what I wanted. "No the API is only available for our 100k a month or more users" is the closest I got.

However when I really wanted a solution i build a small service that receives the confirmation SMS most banks offers and pushes my balance in a small API.

[selfhoster11]

If you are in the UK, Starling offers a relatively simple API.

[andrepd]

My bank uses SMS. It's simple and platform agnostic: even a Nokia 3310 is compatible x)

[5etho]

also not very safe. Attacker can duplicate your sim. This way he can call the bank and use the mobile numer as to restore bank account details. At least in Poland

[soylentnewsorg]

The number one reason to use a banking app on your phone is to deposit a paper check by taking a photo of it. I am not aware of a bank that lets you do that from a webpage.

Vanguard works on my completely google-free phone, although I had to change the OS language to English because w/ Android set to French their app would force the use of commas as the cents separator, then complain that commas are not a valid character. Another fun thing was it uses its own internal camera app, which would focus the preview, then completely ignore the focus setting and take a blurry photo of the check. Eventually I figured out the camera's default focus length and take the photo from that distance.

[dgan]

I will try to do so with web account, however I doubt it will work..