I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.

Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?

These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.

That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part

It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.

To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.

> But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it.

Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.

The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.

That is true. I guess one of the main differences is the bank app can run a faceid check when you open the app and before you make a transaction while websites don't have access to these apis. So they are forced to make you approve the action via your phone.

Every banking phone app I've used auto-logouts after being idle or unused for a bit, and my primary bank's app requires 2fa using an app that exists on the same device -- a second factor that secures nothing. They probably are not explicitly considering the phone more secure than a computer, but rather a good 80% of this is security theater or a checkbox on some baseline security checklist that was implemented without really understanding what the implications, for usability and security, were going to be.

> 2fa using an app that exists on the same device -- a second factor that secures nothing

2FA on the same device secures against your login credentials becoming known to another party, e.g. by fishing, password reuse, database leaks, etc., which are real threats. It is not meant to protect against someone being in possession or full control of your unlocked device, which is of course also a real threat, though possibly less common.

> 2fa using an app that exists on the same device -- a second factor that secures nothing

If I steal your device, and you didn’t have faceid, I have both factors. But if I steal your password, or find it in a leak of another site because like most people you re-use passwords, then I only have one factor. It still provides a fair bit of security because of that.

It's not reasonable at all.

Could you elaborate on what part you find un-reasonable, and why?

This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".

This seems desirable? Is your phone the only 2FA available?

webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.

I can’t tap my PC to buy a burrito at Chipotle.

So you pay more money and also give up your privacy for what you could pay cash for. I don't think you're the target market for this phone.

I pay less money for my burrito than I would with cash, but the reason I use my phone is convenience, not cost.

> I don't think you're the target market for this phone.

My comment is downstream of the entertaining of a possibility of:

> a significant user base that runs alternative operating systems

... which isn't going to happen if you ask your users to give up commonly used features. It will forever be a niche project, at best.

And there are still folks who don't use ad blockers.

This sounds like a challenge to me.

It’s actually super easy and not a challenge. The lowest tech way to do it would be the tape a cc with tap functionality to the inside of a laptop.

what a phenomenal comment, thank you for the laugh

I took "tap to pay" being clicking on Order in an app; and I have certainly made a "online order" from inside the Chipotle, on their wifi with my laptop (usually because walking to the counter would cost more because of stupid promotions).

It makes more sense that they're referring to Apple Pay or similar shenanigans (which itself is more annoying than a credit card, to be honest, Face ID goes wrong or the double click closes the wallet app instead of authenticating way too many times, especially if you're trying to do it one-handed).

I can tap my debit card to buy a burrito, no apps required on my end.

You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.

Do you think the same for using credit cards in general or is using the phone somehow worse?

I use cash whenever possible, but carrying cash for larger transactions has its own risks and those risks need to be balanced against the privacy benefits it offers. The way I see it, carrying a credit card in addition to my phone when I might need it is a minor inconvenience relative to that of allowing Google complete control over my phone.

Credit cards have become mainly a way for the banks and visa/mc to use the customer to strong arm money out of the business.

Get 3% and rebate some to the customer. For the convenience.

It’s kind of sad, really.

I am all in favor of ways to strong-arm money out of businesses --- they seem to be doing quite well at the expense of customers.

My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.

My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you

That might just be European banks though

That could be nice on the Librem 5 which has an integrated smartcard reader.

My bank is migrating online banking to an app-only platform. I could see attestation following very shortly afterwards.

Some banks require app confirmation for PC-initiated transactions, using play integrity requiring apps. Cause security, you know.

I think it's time to look for a new bank.

In my country we have a large religious community that eschews smartphones. Due to this no company or government agency requires a smartphone for service.

This is a very good thing. I don't think many people here on HN reject technology, but sometimes no technology is better than one that is not controlled by the user.

No it isn't.

They just use an SMS code instead which is not secure at all.

choosing a wrong alternative does not make mandating spyphones good.

why not distribute hw tokens for purposes like this? it has the least flaws IMO.

would you mind reveal which community and country is this? maybe i can ask them to lobby in my area too...

It's the religious Jews in Israel.

Choosing between a risk of that and preinstalled non-removable malware in every phone? Tough one, I know.

That doesn't require a bank approved app - we already have authentication mechanisms that are standardized.

People do proprietary bullshit because they want to do proprietary bullshit. Anything else is made up.

What kind of transactions require this? Normal bank transactions don't, right?

Fraud prevention on my primary transaction account requires 2FA for every transfer.

The only supported 2FA is the bank's own dedicated 2FA app.

So if you buy something on Amazon with your debit card you have to authorize it?

Depends on the bank's policies. Currently it tends to be when you transfer to a new destination and/or above a certain amount. I could certainly imagine a bank requiring it for every PC-initiated transaction as and when they reach a point where most normie customers are using their app.

"Every PC-initiated transaction" doesn't make sense to me. What type are transactions are you talking about?

> What type are transactions are you talking about?

Bank transfers and I guess direct debit authorisations (if your bank requires you to confirm those) and reauthorisation/confirmation of card payments that were blocked by the bank's fraud detection. I think those are the only kinds of transactions one would ever use a PC for? I mean for me most of my day-to-day transactions are me paying by debit card in a shop, but you can't do that on a PC in the first place; pretty much everything else I do on my PC.

Do you have to authorize those day-to-day transactions with your debit card on your phone every time?

No. Only to unblock when they get blocked/flagged as fraud (tends to happen for large transactions like plane tickets or buying a bunch of furniture), and even then I currently have the option of authorizing via the web browser (and I think also via phone call).

But sending a bank transfer is also a fairly common day-to-day transaction that I do a couple of times a month (and is the only way to pay for some government services like tax certificates short of visiting the tax office in person). Authorising a new direct debit happens occasionally (joined a gym, changed my utility provider, got a new credit card, that kind of thing).

My brokerages require it every time I login from a computer. My bank will require it if it can't find a cookie from a previous login session. Occasionally, my bank will require it seemingly randomly since I usually log in at least once a week from my laptop yet every couple of months or so I have to reconfirm on the app or another secondary method.

What are the other secondary methods?

Transfer of more than a set amount between even your own accounts in different banks.

Between your own accounts is the main use-case because you typically can't transfer between different banks.

> you typically can't transfer between different banks

WTF? What kind of shitty banking system are you using?

Wells Fargo said to do it I had to use Zelle.

AFAIK Zelle is something US banks got together and set up on their own because the government didn't. So a Zelle transfer is the US equivalent of a SEPA transfer.

Wow. You guys really need better banking regulation.

Websites are starting to make use of passkeys and TPM stuff on the device for workflows where money is involved.