This already the case today, you can't run your bank's app or government eID apps on anything but Google or Apple devices.
I can log in to my bank account using my desktop PC
> government eID apps
I can sign into government websites using my desktop PC and its smart card reader and my government-issued eID smartcard. No smartphone needed.
TOTP codes would be allowed by the regulation, as would biometric approaches or separate physical tokens, but in practice every bank I've used in recent years (quite a few, mostly Spanish but also in Belgium & Switzerland) require that you accept a confirmation prompt or similar in their app.
ING in Germany forces you to either have a single Google approved smartphone or a single authenticator, not both.
DKB requires a paid Girocard to use the authenticator or a Google approved smartphone.
N26 requires a single phone but they are a bit lenient. However they have way too many incidents reported where they closed people's accounts without a reason.
The traditional banks have high fees. One pays upwards 10 - 15 Euros a month for Sparkasse or Commerzbank for a simple checking account. Using Sparkasse means you cannot deposit money outside county (yes county and country) borders. Many traditional banks have high fees for withdrawing outside the network.
So one is forced to choose between modern banks with better online experience that's tied to Google and Apple or a traditional bank with oftentimes awful online experience and high fees.
https://old.reddit.com/r/portugal/comments/1msc886/obriga%C3...
Effectively, if the client doesn't download the App, they will never be able to log into the homebanking website again. The bank enforced this and now if you login normally it will redirect to a page where you can download the app or use up one of three remaining chances to login. I am down to two. From now on, I'm only able to use ATM's or go to an actual teller to make payments and such. The app requires that I have a Google account or an Apple account and I think that's just messed up, specially for a Portuguese bank.
The app on the google store is pt.novobanco.nbsmarter if anyone is curious. It has interesting permissions as well.
Edit: This is the landing page (one login left, oh dear...) https://files.catbox.moe/x117iy.png
rsync, here you go:
Please stop spreading disinformation. I live in the EU and my EU bank supports desktop browsers + Card reader matching everything the mobile app can do.
[0] https://www.1822direkt.de/service/fragen-und-antworten/detai...
Regulations are written (at EU level) to allow X, Y and Z; somehow by the time it's implemented at member state level it miraculously only allows only X or Y, and once it gets to actual service providers (who've presumably been advised by their in-house lawyers that 'Y is bad') we end up with a choice of X or nothing.
Then if you ask anyone at EU level what's going on, they point to what the regulation says, and everyone shrugs.
"It has interesting permissions as well ..." ?
I assume a banking app needs (temporary) permission to use the camera for check photos or things of that nature ... and possibly (temporary) use of location data.
I would be alarmed if it requested microphone or access to either contacts or photo storage ...
Fairphone 6 with e/OS begs to differ. Dutch phone with a French OS. No issues.
As for alternatives, yes there are, I'm still figuring which ones do not require an app on the smart-phone, though.
I believe I've found a fair alternative after asking a few friends but, I have to account for other factors as well, like, how secure their infrastructure is.
This is because offline 2FA keyfobs were never that popular in Portugal (to my knowledge), unlike 2FA via SMS which I find less secure that keyfobs, but now with the SCA directives from the EU, most banks are jumping on the App 2FA bandwagon. Some do offer a government issued alternative [0] but it still requires an app. I'd be perfectly happy to sign in with my Citizen's ID card reader but that is also rarely implemented (bank-wise), specially since the Chave Movel Digital app from the government [0].
Bottom line, most major banks are going in one direction (deploying their own apps onto customer devices), while smaller banks are staying put (with SMS 2FA) but their security was never that great. So I'm still prospecting and yes, there's a bank co-op on my list also.
Oh, and by "security" I'm mostly going by feel here. Like, if the web interface is a bit jankie I don't feel secure. I'm not going to look into obfuscated .js and pretend like I know anything about web security.
Well yeah but that's what you get when you make overly broad statements like "not in the EU".
Most banks in Germany, Austria and Portugal default to Play Store or App Store apps with OS integrity checks. It seems like the Nordic countries have it a bit better with the ID reader apps. There are sometimes alternatives and some of them require paid subscription.
The apps they require are proprietary. They are not generic TOTP generators. Some of them require biometric approval. Some just logging in and approving a notification. I have seen some generate a form of non-standard TOTP. Otherwise I wouldn't complain about being locked into Google or Apple ecosystems. They are Play Store or App Store apps that require attestation from the libraries / systems provided Google or Apple like SafetyNet or Play Integrity. Some require strong hardware attestation. If the OS is modified, those checks do not pass. You cannot use any FOSS system without crazy hacks. If the phone is stolen, you have to go through manual reonboarding. It sucks when you're out of the country.
I do not understand how you are coming to that conclusion regarding modern banks. You can use the authentication device, which is completely independent of Google or Apple.
>SafetyNet or Play Integrity
A few days ago I did inspect the NovoBanco (Portuguese) apk, and I did look for SafetyNet specifically. They didn't use it. But since I'm not that familiar with the android eco-system I couldn't really tell if Play Integrity was used instead. But I did find a LOT of HMS (Huawei Mobile Services) stuff, and some if it was definitely related to security.
I might take a look at it again tomorrow.
I was curious if I could sideload the app without logging into a google account, meaning without using google services, but all I did was a tiny bit of static analysis instead of actually trying it.
If you have any write-ups on crazy hacks for foss systems, again it would be awesome if you could share them and greatly appreciated. Cheers
Also, is using HMS a normal thing in android development? Last I checked Huawei was persona non grata in the west, at least when it came to hardware like network equipment and consumer devices. I was surprised when I saw HMS in the apk.
>Last I checked Huawei was persona non grata in the west
Isn't it only in USA?
That's especially crazy. With Trump's/USA's belligerence, why on earth would EU companies/banks/governments want to require that you have an Apple/Google account, it makes them totally dependant on foreigners!
Most banks? Do you have evidence? AFAIK many (and certainly the most used) German banks (Sparkasse, Commerzbank, Hypovereinsbank) allow chiptan which does not require a smartphone.
Hungary is in EU and the most popular bank sends a one-time code (with expiry) via SMS for logging in, making a transaction, for the mere displaying of "Telecode", and so on.
There is no TOTP, only this one-time code sent via SMS.
I do not use their apps on any platform. I login via their website when I need to which is rare. When I make a payment via card, I have to provide the provided 3-digit "Telecode" and the one-time code sent via SMS. There is an option "What if I do not have access to that phone number?" or whatever the literal translation is, but I have not checked that out yet.
... which is why I left a comment asking you about the details. You telling me SMS is banned and referring to EU regulations just left me more confused given the above.
Absurd thing is that 1822 claims to make things much more secure but their 2FA reset with a single phone PIN is a joke.
They mitigate the obvious security thread with mandatory 2fa (actually mandated by regulation). Some use this as an opportunity to push their apps: no separate 2fa method, but only integrated in their bloated app, that checks for rooted devices and only supports the newest OS.
It’s quite hard to find out in advance, what 2fa methods with which fees each bank actually requires. I remember that some of them had funny ideas, what a customer should be billed for 2fa SMS. I think it was 50 cents per SMS.
