It feels weird that I'm now grateful for how crap they are.
The average person is very likely to have malware on their computer, but not on their phone.
I installed lineageOS, which is passes the Google SafetyNet check out-of-the-box. So most things just work, including my local Credit Union's app.
But lineageOS fails the CTS profile check on my phone. Fidelity checks this after you log in and shows a "For security reasons your account has been blocked..." message.
So I had to root the phone to install a CTS profile fixer, and then more hacks to hide the fact it was rooted.
After that Fidelity worked, but requested root permission every time I launched it until I figured out how to permanently disable that.
Netflix was similar, but not quite as annoying.
For example it is currently the reality in EU, that in order to use any of the native banking apps, a user has no choice but to expose themselves to privacy violations by either Google or Apple, i.e. US companies.
While at least one alternative exists, https://grapheneos.org/articles/attestation-compatibility-gu..., these alternatives are not being used in practice.
I see no way of preventing this happening on the web as well, if the Web Environment Integrity API ships.
Is that sarcasm? Their computer is likely more secure than the jungle of manufacturer modified roms where who knows what's inside.
Because their customers aren't security nerds that have smartphones with authentication apps.
They want people that barely get smartphones, or still use feature phones, to be able to access their services with some improved security workflows.
Maybe web is the right platform for these. But of course Google will use this to close things down.
IMO much bigger issue is that significant amount of non-banking sites that are now trying to shame user with "disable adblocker to continue" messages (easily bypassed) will start requiring this. Or Twitter/Reddit/etc., in the name of "fighting bots" of course, nothing to do with ensuring you are watching their ads...
Every financial i use (half a dozen) have an app
Unless you have billions at a bank, I don't see why any bank would even consider changing how their website works because of a single customer. And, well, real billionaires probably don't care about not being able to use a website on Firefox.
I got codes via SMS when I installed those apps and I had to prove that I owned the phone number I was associating with the app.
My bank calls me once every few months, if everything is ok, and if there are is something that is bothering me and could be improved, or if they can help with something. At first I thought it is some marketing program and some manager has to achieve some KPIs, but surprisingly, they did listen to suggestions (it took time, but they eventually did).
So you never know, if you never try.
1. From what I've seen, the PSD2 APIs haven't really been created with end users in mind – there are non-trivial accreditation requirements on people/entities wishing to make use of those APIs, the expectation being that only professional middlemen will dally with those APIs.
2. The PSD2 APIs don't necessarily cover the full functionality of a bank's online banking functionality.
3. While you can probably still get quite far with "just" the ability to query the current account data and recent transactions, as well as being able to initiate payments, this doesn't sidestep the bank's authorisation requirements – meaning that unless you can use a hardware TAN generator or something like that, you're still dependent on the bank's app for payment and account access authorisation.
Business account is in different bank, and the communication there was much harder (obviously by someone not trained in communication and having to talk to me as unplanned part of their job). The fees are lower, though.
So it doesn't seem to be by the amount of $$$ on the account.
The solution is diversity and using browsers that respect users. Chrome only has the power to push this API because they own most of the market.