Yeah but the core issue is that all apps for digital services for both private and government, at least in my EU country, are only shipped for the iOS/Android duopoly.
So having yet another 100th FOSS linux phone that won't run those apps is pointless until apps for these phones are shipped with feature parity, and they probably won't get shipped until these phones reach some critical mass adoption, and they won't get critical mass adoption because they don't run the popular apps.
If this is similar to LineageOS, then it's always potentially only a matter of time until some banking and payment apps stop working due to failing security attestation pushed by a Google update.
We need native apps that pass attestation out of the box for that phone/OS, not relying on hacks that may or may not work in the future.
This is not good UX and it poisons the well if you push users to a new platform then they discover some apps don't work as you promised.
Because FIDO2 is not enough for non-tech-savvy people.
The main issue is potential confusion about what transaction they’re actually signing. For example, a malicious browser extension can pretend the site sends money to X while actually sending it to Y.
The European PSD2 directive mandates that the 2FA scheme must let the user see what they’re about to sign. At the very least, that includes the amount and part of the recipient’s IBAN. FIDO2 doesn’t have that.
It’s the reason I own a device that looks like this [0]. Without it, I wouldn’t be able to transfer money at all due to the lack of banking apps that work on Linux phones.
In this case, wouldn't FIDO2 only be used to log into the bank's website, not to sign individual transactions? (Corresponding to Mode2 in the Wikipedia article you provided?) Would this "mode2" only usage be allowed under European law, given that there is no transaction involving an amount of money taking place?
Banks used to give us those RSA tokens in the past for securely logging in to the web UI, but then discovered they can cut down on cost since everyone has two brands of smartphones.
No doubt. At least with FIDO2, people can provide their own hardware key, and get real security rather than a rolling number generated by a compromised algorithm [1].
Your point seems to be "Some Jolla phones can run some Android apps," while GP's issue is that "It's not true that all Jolla phones can run all Android apps."
So having yet another 100th FOSS linux phone that won't run those apps is pointless until apps for these phones are shipped with feature parity, and they probably won't get shipped until these phones reach some critical mass adoption, and they won't get critical mass adoption because they don't run the popular apps.