[y-c-o-m-b]

I keep seeing this, but I've never signed into a single one of my banks, mortgage companies, stock brokers, or credit card companies on my phone. The phone might be used to get a code for 2FA via text, but that's the extent of it. Everything is done on my PC through a dedicated browser specifically for financial purposes. This applies to Chase, Fidelity, Schwab, Wells Fargo, Marcus, Morgan Stanley, Amex, and more. So theoretically there's no reason a Linux OS on a phone can't do any of these things without Google or Apple by simply masquerading as a PC.

[microtonal]

I think the disconnect comes from the European vs the US perspective. In Europe, banks in many countries require smartphone apps for 2FA (unless you still have one of the old authenticators that you can hold on until the battery dies). One of the reasons is that PSD2 requires two-factor authentication:

https://www.betaalvereniging.nl/en/knowledge-base/digital-id...

My guess is that given that banks are liable in many cases of account compromise where the user did not do anything wrong, they generally don't use SMS or e-mail auth because it is relatively easy to compromise (e.g. no or bad encryption, downgrade attacks, etc). Also, doing 2FA through a smartphone app is much cheaper for them than keeping a fleet of authenticators running.

Luckily, it looks like PSD3 is going to require access without a smartphone too:

Require payment services providers to ensure that all users can benefit from methods to perform SCA which are adapted to their needs and situations and, in particular, that those methods do not depend on one single technology, device or mechanism, for instance on the possession of a smartphone.

https://ec.europa.eu/commission/presscorner/detail/el/qanda_...

So things are looking up in that respect.

[frm88]

TIL about PSD3. Thank you.