In EU? For internet banking you need a mobile phone or a dedicated hardware token (thing you own), as part of the Strong Customer Authentication (SCA) requirement under the PSD2 regulation: https://ec.europa.eu/newsroom/fisma/items/658958

I know in some countries (UK, Germany, Switzerland, Austria) they're used to hardware tokens already since they were in use long before PSD2. But I seriously, seriously doubt banks in e.g. Poland specifically implement support for hardware tokens issued to very few annoying customers who refuse to use an app but otherwise want internet banking.

▲

3abiton 6 hours ago | parent | next [-]

This is untrue in reality. Literally I used more than 5 banking apps, and few investement ones (including 1 in the US). I could log in to all of them through a browser, using a phone number 2FA, or a proprietary authenticator of the bank (a physcial device). Never a bank forced me to use their app to login. It's an option though (and a convenient one). If that end up ever to be the case, I am for sure not using a google phone to do so. iPhone it is.

And here is the funny part. On my A13 Android (fully rooted, BL UL, custom ROM) I can totally bypass play integrity, using the keybox method. There is literally no way for google to patch this. I am yet to get it working on A16, mainly for lack of time to tinker, also because OP15 has no sources released yet to build ROMs for it, which is the main motivator for me to use an Android phone.

The takeaway is this: Google promotes "Play Integrity" (PI) as a working solution against "tempered devices" (ie. because god forbid you have sudo access on your device). Yet, it's easy (albeit a bit complex as you have to know the right telegram groups) to bypass it. PI gives the illusion of security, yet in reality it counter-solution exists. Real bad actors would have 0 issues doing what they want to do, the real impact is deterring users from open source roms like Lineage, simply because their bank app wouldn't work, which imo is Google plan all along masquerading as security feature. Google's main business is ads, and hosts based ad blocking is extremely easy once rooted.

Their recent moves align well with this (slow rollout of open sourcing, QPR2 is still not out yet, antagonizibg 3rd party stores like f-droid), all in the "name" of security.

	▲	cromka 5 hours ago \| parent [-]
		Interesting. I just moved to Android from iOS with the idea of eventually switching to GrapheneOS, but was scared that my apps will randomly stop working as soon as Google catches up with the hacks. From what I heard it's a cat and mouse situation, they patch things, then android community finds a way. I do not want to find myself in a situation I need to use my bank or government app and fail because Google just caught up with the hack. So what you're saying is that you can have it permanently 'fixed' with no shenanigans like that?

▲

bluebarbet a day ago | parent | prev [-]

Between what the law says and what actually happens there's sometimes a gap.

I'm in the EU and currently I do online banking with 3 banks without using any app, i.e. thru a laptop browser. The 1st literally lets me stay logged in with a simple cookie, with an SMS 2FA requirement every 90 days. The 2nd additionally asks for a PIN to be entered at each session. The 3rd is a neobank and is tougher, requiring a TOTP (which I generate on the same machine, needless to say).

A 4th does require an app, and in fact can hardly even be used with a desktop OS. That bank is Revolut and I therefore don't use it and I recommend others avoid it too.