[XorNot]

This is the real problem: I need my phone to work with my bank. So whatever we're doing, that's the bar to clear.

[nebula8804]

Buy the cheapest updatable phone that will work for your bank(probably a used iPhone) and use a free OS for everything else.

[dns_snek]

No, I don't want to buy, take care of, and carry around 2 devices at all times. I'm not a drug dealer.

[drnick1]

You don't have to carry two phones. The idea is that the second phone stays home powered off and is used as an access token for the bank's website. There is no reason to carry it around. Pay cash in stores or use a credit card when cash is inconvenient.

[dns_snek]

I think this is a pretty outdated view of banking. I open a banking app at least a few times a day. In the EU just about every online transaction has to be approved in the app, we also use various payment apps for quick person to person transfers, use the app to generate disposable virtual cards for online purchases, etc.

I could cut myself off from the modern financial world and just use online banking like it's 2010 but that's a pretty big ask.

[structural]

Is this a EU-specific thing? In North America I've never installed a banking app, don't even know if my institution even has one.

[thisislife2]

The US is way, way behind in banking P2P technology / fintech adoption. In many parts of Asia, even uneducated street vendors now accept digital payments via mobile phones (that's how easy it is). See - https://www.forbes.com/sites/pennylee/2024/04/17/the-us-lags... and

[sharts]

Not a drug dealer but perhaps a bank dealer

[mfru]

so only drug dealers use two phones?

[dns_snek]

Pretty much, yes. Drug dealers and people who are getting paid to carry a second device for work by their employer. I am neither.

[mfru]

I'm sure you have evidence for this, I am certainly not fitting into your frame.

[Kudos]

I use 4 different banks, they all work with GrapheneOS.

[kytazo]

I use 3 banks, they all work as well. Plus they're all on a separate user profile, which makes it even more secure.

[foresto]

Is there something important in banking apps that cannot be done with a web browser?

[Gee101]

My bank uses the banking app for auth if I try and login via a browser.

[HPsquared]

Barclays in the UK offer (or used to) a hardware device with a keypad allowing the user to do a challenge-response using the bank card's chip and PIN. Not sure if they still do, though.

Edit: https://en.wikipedia.org/wiki/Chip_Authentication_Program

[potamic]

What if one doesn't own an android/iphone device? Banking is a fundamental need, so most countries regulate them to cater to a wide range of users. In this case it's possible that the bank could be compelled to provide you a 2FA device if you don't have one.

[distances]

I don't think there is such regulation. Many banks simply do not have any other means of authentication any more. They can't give out 2FA devices because their systems just don't support them.

[pjmlp]

Good luck with that, in Germany many public transport operators are moving into app based tickets for the monthly/yearly subscriptions.

You can still get a plastic card, however it requires paying extra and some additional forms, the reasoning being it is not environment friendly.

[majirdulb]

Do they offer a physical 2FA device? Mine does and it's really useful

[array_key_first]

That's because they're stupid or doing something suspicious, probably both.

There's legitimately zero reason to allow 2FA only on your own propreitary app. You can't even make a financial argument - allowing other TOTP methods is cheaper because now you don't need an app!

[buzer]

Unfortunately the EU regulation makes the truly user controlled 2FA methods essentially non-compliant.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Article 7 Requirements of the elements categorised as possession

> 1. Payment service providers shall adopt measures to mitigate the risk that the elements of strong customer authentication categorised as possession are used by unauthorised parties.

> 2. The use by the payer of those elements shall be subject to measures designed to prevent replication of the elements.

[jojobas]

This says something along the lines of "it should be hard to extract the TOTP secret".

However if you can get so far as to get the secret from the TOTP app, you can as well back up the entire phone and restore elsewhere, can't you?

[nh2]

No, because phones that lock keys in hardware effectively prevent that, and that works only with hardware that prevents its owners from having full control an doing what they want with their hardware.

"Unextractable keys" works with hardware that you don't "truly own".

[weikju]

> That's because they're stupid or doing something suspicious, probably both

Small comfort for whoever needs to use that bank. This is the disconnect geeks and Free Software needs to bridge to make any headway.

[array_key_first]

I mean, I concur, but ultimately I can't fix shitty banks being shitty. No geeks can. Banks have been shitty for a long, long time.

Do you know how we usually stop them from being shitty? Forcefully, with legislation.

[exe34]

it costs basically nothing to change banks. you sign up to a new one and they transfer your account and direct debits. you just tell your employer where to send your next salary payment.

[weikju]

Sometimes it’s more complicated than that. And the other banks aren’t any less “stupid”.