[eganist]

How would that stick? You can just sign into the bank via your web browser in the case of a nonfunctional app. The apps just give you added security assurances beyond using the web.

"The app can't function in a low security environment, but complainant is free to use the web client in such event." case dismissed

(obviously an oversimplification, but the point stands)

[erinnh]

This is definitely not the case everywhere.

Where I live the app is 100% needed because it’s the „second factor“ in the login process.

[The_Colonel]

There has to be a fallback like SMS and/or automated call.

[akvadrako]

For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.

[Too]

SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.

[The_Colonel]

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

[Too]

Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.

[didntcheck]

Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)

[eganist]

> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

[eganist]

Curious, can you name this institution that only allows the app to be used as the second factor without fallbacks?

[iforgotpassword]

In Germany: all of them.

Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.

[oarsinsync]

There are app-only banks too. Some of them provide a web interface, but it depends on the app to sign you into the web interface (similar to the way whatsapp requires you to use the app to sign into whatsapp web).

What happens when you primary bank has been one of these app-only banks for the last 5 years, and you decide to make a technology change to your phone, and can now no longer get into your banking app?

[realusername]

When you reject GrapheneOS, the most secure mobile OS on the planet but accept a no-name chinese ROM I feel like that you can't invoke security reasons anymore.

[Too]

Signing transactions usually take you back to the 2FA app here, where the amount and receiver is repeated.

Even if someone hijacks my computers web browser, the worst they can do is see my statements, any attempt to transfer out will pop up a prompt in the phone.

[iforgotpassword]

The app is for 2fa.