| ▲ | thewebguyd a day ago | |
The issuing entity. They want a "secure device" to do business with me, then they get to issue said device. Otherwise, they just get to be OK with offering me a website or letting me transact with them on my own device that's under my own control without stipulations like requiring attestation, or prohibiting root. The point is, governments nor banks or other private entities, should be getting to dictate what can and cannot be done on someone's computing device. | ||
| ▲ | ncruces 17 hours ago | parent [-] | |
They're happy to provide that. It's a called debit card that you take to an ATM machine. It's been popular demand, not financial institutions, driving the change to “the smartphone can do everything, I don't want to take debit/credit cards with me everywhere.” People don't want an additional card, or yubi key, or printed second factor, or whatever, to authenticate. They want an app that uses a data connection, and a fingerprint to replace even needed a PIN. They tolerate a second channel: an SMS, if the app automatically reads it. That's as much inconvenience as the general public is willing to put up with. They're starting to demand that this works offline for smaller spends. And they'll put up with a phone call as a 3rd factor for when they want to unblock a really high spend, like purchasing a car, but it can't happen all the time. They want this to work reliably, even on holidays, all around the world. And they want the banks to cover losses if it all goes south. Now try to design a system that covers the requirements people are demanding for, without trusting the terminal the people decided they want to access it from. | ||