I don't see, why a smartphone plus NFC enabled token device wouldn't work within the regulation, we should go that way, (or any way decoupling Google & Co. from it) because we should be prepared for US companies to be forced to act unreasonably by an unreasonable leader.

I agree, I’m not saying it’s totally correct or there aren’t answers, but those are the current rules at least in my bank.

Instant payments bypass typical surveillance and fraud systems and so need some kind of authentication, if you don’t want to 2fa every time you’re at the checkout then the application has to have been previously authenticated (e.g setup with some kinda TAN from your bank) and execute on an attested device. We can def extend attestation to other devices (e.g is the kernel modified, does the app have reasonable version and checksums etc) but again, who is gonna fund that for 10 users?

edit: We have a long road to go before this stuff gets better, I think we should be happy at each step instead of really wishing we were already at the finish.

There's technical possibility and then real world practicality.

For the same reason, a pure WebAuthn flow in a compliant browser could technically implement secure payment confirmation mandated by the DSP, but afaik no bank does that, and the W3C is still working on the spec.

Our governments can't even manage not to depend on Microsoft/Google/AWS (and Palantir, the US military industrial complex, Israel, ...), our banks are regularly under the fire of extraterritorial bullshit due to the USD dependence.

Being worried about consumer devices and their OS is cute, but it's missing the forest for the trees.