I agree, I’m not saying it’s totally correct or there aren’t answers, but those are the current rules at least in my bank.

Instant payments bypass typical surveillance and fraud systems and so need some kind of authentication, if you don’t want to 2fa every time you’re at the checkout then the application has to have been previously authenticated (e.g setup with some kinda TAN from your bank) and execute on an attested device. We can def extend attestation to other devices (e.g is the kernel modified, does the app have reasonable version and checksums etc) but again, who is gonna fund that for 10 users?

edit: We have a long road to go before this stuff gets better, I think we should be happy at each step instead of really wishing we were already at the finish.