Thats ... false. Every bank I have used in Denmark allows me to log in and do all operations without an app. They require authentication and authorization using the national digital identity (MitID) which comes as an app, but also as a TOTP token and a FIDO (or similar) chip. No apps needed.

I guess the smartcard reader is equivalent. But my point is that locking down the OS of the phone is sufficient to establish client trust but not necessary. You should always be allowed to run the app without strong Play Integrity verification but then just be required to scan your hardware token with NFC in every authentication and authorization flow.

That's mostly prevalent in third-world countries like Brazil. I work for a fintech-turned-bank here and the biggest problem we have to deal with is fraudulent actions made by scammers who got access to users' accounts via social engineering. Outsiders don't know how prevalent scamming is in Brazil and how much is spent/lost trying to fight them and how that shapes the security vs convenience landscape. For example:

- I can't transfer a single cent if I didn't had my face and documents scanned after installing the bank app.

- I can't have the same bank account logged in two of my devices at the same time, all banks require you to use an account on a "verified" device (previous point).

- If I want to use a desktop to access my bank account, I have to either install a desktop client provided by the bank or be limited to just checking my balance. Some banks doesn't even allow you to log in if you don't have a "verified" device for doing 2FA.

I am very sure my higher ups are cheering with these news, even though it solves none of the problems.

In the US too. I have never ran into a situation where I had to use the app instead of the browser. I don't know what that guy is talking about.

My US bank removed check deposits from the browser about a decade ago, and I haven't met anyone who can use Zelle without an app.

That is a far cry from the original comment "banks have never accepted browsers".

I have used zelle many times from the browser. It's been a while, so maybe that has changed, though. I never even tried to deposit a check from the browser or an app, so you may be right on that point.

I have 3 different banks (well 2 banks and a credit union.) I can use Zelle in my browser from all 3. I don't even have the app installed for 2 of them.

Hmm...I wonder if it matters which browser is being used.

In my country almost all banks removed their web apps. They existed like 15 years ago, before smartphones became widespread, but nowadays very few banks offer web apps, only mobile apps.

That's exactly what I'm saying. They don't let you take actions using only a web browser. If you don't use a mobile app they issue you with trusted hardware that performs a similar function (although usually less secure and not as convenient).

My bank does still allow login and txns to be authorized with a smart card reader. You have to type in fragments of the account number to authorize a new recipient. After that you can send additional transactions to that account without hardware auth.

Pure NFC tokens don't work because you need trusted IO.

Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.

An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.

Google voice is not special hardware. You’re confusing attestation with 2fa and that’s why you’re getting downvoted.

Yeah but Google Voice isn't something you're meant to use to receive SMS codes. That's very US specific, and if you go there you've undermined the security the bank was trying to provide.

The reason they used SMS codes for a while is because phones have always tried to block malware from reading your screen or SMS storage whereas PCs don't, and because phones can do remote attestation protocols to the network as part of their login sequence. The SIM card contains keys used to sign challenges, and the network only allows authorized radio firmwares to log on. So by sending a code to a phone you have some cryptographic assurance that it was received by the right user and viewed only by them.

2FA and RA are closely related for that reason. The second factor is dedicated hardware which enforces that only a human can interact with it, and which can prove its identity cryptographically to a remote server. The mobile switching center, in the case of SMS codes.

Obviously, this was a very crude system because malware on the PC could intercept the login after the user authorized, but at least it stopped usage of the account when the user wasn't around. Modern app based systems are much more secure.

Don’t know what to tell you dude but you’re really out of touch on this one. Anyone with osx and iPhone also gets text messages on their laptops.

The SMS stuff seems like theatre when SS7[1] has been known to need a nuclear-powered auto bailer for how porous it is.

[1] https://en.wikipedia.org/wiki/Signalling_System_No._7

... which is why none of the banks I've used support it for many years now. It's a legacy example. Modern banks all rely on apps that bind to the secure element in the phone or they issue a smartcard reader.

Not all modern banks, e.g. Santander Bank in Poland still uses one-time SMS codes.

Alright, I think I misunderstood you. I know most banks allow alternatives other than the app.

But just the fact that there are options which have the side effect of making you choose between convenience and digital autonomy is wrong, and I don't think remote attestation should even exist in the toolbox. We should make dedicated hardware solutions work better instead.

Dedicated hardware solutions are remote attestation. The smartcard OTC readers are doing exactly that: you sign a challenge with a private key that never leaves the smartcard and is paired to the bank at the factory. This is what remote attestation is doing behind the scenes, the only difference is the smartcard user interaction is much more limited. It's of no use for protecting your financial privacy, for example, only for stopping a hacked display device authorizing transactions.

If you evolve the smartcard based systems with better I/O capabilities, then you end up with a modern smartphone. At which point you may as well let the user supply their own rather than charging them lots of money for a dedicated device that's not much different.

No, I reject the idea that general purpose computing devices should be locked down to satisfy a very narrow security use case. I really don't believe that you end up with a smartphone, and I don't think you give a very good argument for why.

I am fine with locking down devices that have very limited security purposes. I am fine with my passport containing locked down hardware if it makes it harder to forge. But I am also not browsing the web on my passport, and therefore its security requirements cannot prevent me from removing ads.

OK, use a browser that lets you remove ads then! Android isn't iOS, you can run browsers that aren't Chrome and nothing about this change would stop you installing a custom browser with whatever features you want. Your banking app doesn't care what browser you use.

You are fundamentally misunderstanding my point about freedom.

Yes, I can do it now, but this is only because Google allows me to do that on their approved Android distribution, not because they are unable to prevent me from doing it. I don't trust them to not take away that freedom from me as soon as they can be sure that they can afford the anti-trust lawsuit since their core business model is to show me ads.

I know that my bank doesn't care about my browser, but by relying on Play Integrity they are indirectly forcing me to operate in Google's control regime in every other aspect on my device.

I don't want them to control my software stack, period. I don't care if they act as the good guys right now, they have been steadily doing downhill in the moral department and I expect them to continue to do so.

I don't understand how you can act like there is no problem at all with technology like this.

I work in fintech, formerly as a contractor for some major banks, and absolutely nothing you say is true, generally.

This might be the case for a couple of banks - or maybe in one or two specific countries, but broadly, none of what you've said here applies to banks anywhere else in the world.

Which banks outside the US allow you to submit payments using only an arbitrary desktop browser, without any other device getting involved? No mobile phones to receive codes, no smartcard readers, no secure elements, nothing except a browser and a password? I have never encountered such a bank.

FWIW "SMS 2FA" or "email 2FA" can also be done from the same browser (google voice or similar, webmail) and I've used both with banks.

That said, there is one major bank I use that still allows password only.

I’m not sure why “outside the US” is a factor here, but nearly every bank in the world. Some only require email verification, some don’t even require that.

There are banking systems in some countries that do not even require an ATM/Debit card for automated withdrawals, just an account number and grouping code.

It's fascinating that people have had such different experiences here.

In my entire life, I have never banked anywhere that would let you transact or log in with just a desktop browser. You seem to be convinced this is an edge case but every bank in Europe works this way, as far as I know. There are US financial institutions that would do this, but the US financial system is uniquely fraud prone to a level just not tolerated elsewhere. It lagged years behind on chip-and-PIN cards for instance, and largely never managed to roll it out. The US treats bank account numbers as credentials and other stuff that doesn't apply elsewhere.

Just look at this thread: plenty of people saying what I'm saying. If you bank somewhere that lets people use just a browser to do transactions, you're either in an environment where fraud doesn't matter at all, or you're with a bad bank and should leave them.

Have you considered that Europe is a fractional part of the world with close international relationships to its geographical neighbors and does not represent the rest of the world's experiences?

You mention the US as lagging behind Europe, which is true - but I assure you from my experience working in international fintech from the US, there are more people in the world than the entire population of my country with even worse banking security controls by default.

> In other words, there aren't many banks that let you take sensitive actions with just a browser and that's been true since the start of online banking.

when I started online banking I used a browser and a TAN list for years. No apps required

"Browser and TAN list" is equivalent to "Browser and app". A browser can't be used in isolation, there is and was always some second factor required for online banking, but a banking app can be used in isolation.

No. The TAN list does not prevent you from removing Play Services from your device.

Granted.

Is wells fargo not a bank? It doesnt even use 2FA and you can log via a browser in a ship money all over the planet!

> Banks have never accepted browsers.

What are you talking about? My bank accepts browsers and is a major one.