Problem is a lot of apps require a locked-down device. You can't use a phone that isn't locked down in most of the world. And it will spread to PCs eventually.
The EU Digital Wallet requires hardware attestation so only it only works on locked-down government-approved OSes. That opens the door for government control of all electronic devices.
Zero knowledge proofs stops corporations from tracking you, but they don't stop the government from tracking which websites you visit.
They also require hardware attestation for them to work, which means you will be only allow to use a locked-down goverment-approved OS for age verification, and that opens the door for the government to control the software running on every device.
I doubt banks or the government would ever white list something like Lineage that's not made by some megacorporation. Also IIRC most phones don't allow you to relock the bootloader after flashing a custom ROM.
Is this yet more evidence of how utterly broken US banks are? Assuming you are referring to US banks.
For the past 20 or so years, every bank I've been with in Belgium has provided me with one of three types of hardware token:
1. An OTP token that's just a screen that displays a new 6 digit token every couple of seconds (haven't seen one of these in a few years now). This was used to supplement username/password on login and to verify every bank transfer.
2. A token with a screen and a display, which generates OTPs based on input. E.g. for a payment the bank would tell me to enter the amount + the last N digits of the bank account, the token then generates an OTP, which I can use to confirm the payment. That's what 2 of my 3 banks currently use. They have separate modes for logging in, for signing bank transfers, for signing 3D Secure online payments, etc.
3. A card reader where where I just slot in my card. I can then log in or sign payments using the card's chip & pin. This is what my third bank uses. There are a couple of variants on this, such as models which connect with USB and models which can read QR codes from your screen so you don't have to tap in anything except for your PIN.
They won't need to do that. Once Google Play Integrity starts using remotely provisioned keys in a few years it will be impossible to hide root without exploiting a hardware or firmware vulnerability.
You don't own your PC either. All modern PCs have a Trusted Platform Module that the authorities can and will use to lock down PCs eventually. Multiplayer games are already using hardware attestation on PC for anti-cheat.
I don't run any OS or games that would require such a thing. The two modern AMD cpus do have an fTPM but they are certainly not enabled in my UEFI firmware. My 3 other desktop computers including the one I'm typing to you on have no TPM and indeed this computer doesn't even have an Intel Management Engine (ME). And in my other old intel CPUs that do have ME I disable it and coreboot.
I can do whatever I want to my PC hardware and my software remains under my control. This is quite different than cell phone based computer platforms.
So, it's not locked down now. I won't lock my existing PCs I hand assembled down in the future, and I'd never buy any hardware that was locked down. In fact, I've never bought or used a smartphone because of this.
The Vietnamese government has mandated all banking apps to detect if either the phone has been rooted, the bootloader has been unlocked, or ADB is enabled and force quit if that's the case.
You already need to submit to iOS or stock Android for a myriad of banking or government apps that use remote attestation to verify that you are running "untampered" software.
FWIW this has not been my experience in the US, I've always been able to use websites for these things. I use my phone for almost nothing important since I don't trust it. But yes, I fear we are heading in that direction too.
I keep seeing this where? What banks don’t allow you to go to their website and use them from your phone? Which government apps don’t also have websites?
Not in the western countries yet, I guess. I live in Thailand and have accounts in two banks and both of them only allow usage through an app that's only available through the App/Play store. Android version of Krungthai's bank app freaks out if you have developer settings enabled (even without changing anything, just enabling the access is enough to lock you out). And to use that app in the first place, you have to go to a branch and have staff set the app for, as passing the facial scan checks is impossible for foreigners.
Several German banks (at least mine, one of the bigger ones) exclusively have you use an app for 2FA, you can still log via the website if you are lucky (as long as you have that one saved) but not do any transactions. So I would call that required.
In the EU there is Strong customer authentication [0], part of the PSD2 (Revised Directive on Payment Services).
I read as much about it from the official sources as I could about a year ago, so I might be wrong here. From what I remember even though no specific mention of Android or iOS attestation was made, a "strong" form of 2FA is needed. Stronger than TOTP.
In my country most banks I talked with require a mobile app for 2FA even if you're logging in from a desktop browser. I haven't (and will not) install a banking app on my phone, so I'm not sure if it would work if the phone doesn't pass the attestation (e.g., Play Integrity on Android). I wanted to install the app in an AOSP VM, but no bank would even send me the apk file - they all want me to download it from Google for some reason.
Another option was to pay for a hardware device from a third-party company.
I was lucky that one bank still uses SMS 2FA. It's weaker than TOTP (depending on your threat model, I guess), but I prefer it.
My other option is either to:
* have a smartphone;
* have an "approved" OS from an American company;
* have an account with said American company so I can download the app from the company's repository;
* run closed source software on my smartphone.
or to
* pay for a USB device from a third-party company;
* that barely works with Linux;
* that requires a closed source program to run;
* that doesn't work with VMs and troubleshooting was a pain (I tried).
What I want is to use TOTP. I would actually store the secret on another device, as I'm not opposed to the idea of 2FA in general. And I would be fine if my money were drained as a result of me being hacked. If I had millions in my account, I could just use a separate computer only for the banking, but still a computer I chose.
Online banking (a superset of "mobile" banking) is very important for a person to have in order to participate in society. The ability to choose what hardware and software to use is also very important. The ability to not associate oneself with third-party companies, to accept their ToS and to pay them money is also very important. Therefore, I think those things should be my rights. I'm not complaining about a gym or a pizza place requiring a mobile app here, after all.
