Felicitas Pojtinger 🌅New idea: Neobank specifically for digital sovereignty, from the app running on Linux/without SafetyNet and other nonsense to the servers running on local infrastructure
People need banking and payment apps to work on Linux mobile for it to work. Obviously the only real "fix" for this is a regulatory one that declares SafetyNet a monopolistic control mechanism, which it is. But also, with fintech stuff getting easier and easier, I wonder if creating at least an open _banking_ app should be possible. Yes, various countries require push-based 2FA, but nothing locks you into Google/Apple here on Linux. I wonder how the payments situation would be ...
darkdragon@pojntfx The relevant legislation regarding 2FA is the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2):
@pojntfx My understanding is that TOTP is not sufficient for 2FA because PSD2 SCA requires that for online payments, the authentication must be dynamically linked to the transaction's specific amount and payee. But maybe a standard JWT minting process could be enough (send request to the app, app signs the request with a private key potentially via TPM2, send the signed request back).
@darkdragon Thank you for the link! Makes sense. I know that there is a push notification in all of the EU banking apps I've used (SecureGo etc.). But as long as there is no hard-coded requirement for SafetyNet specifically, I don't see why we can't get to the same level of security _in theory_ with TPM2 for storing secrets safely + measured & secure boot, Flatpak/Bubblewrap sandboxing + push notifications that we send over WebPush etc.
@darkdragon Heck, if we really want it or are legally required to so there are also ways to do remote attestation for Linux systems, the embedded world has been doing it for a while and immutability makes this much easier
@pojntfx Maybe one could use passkeys for the signing part? So from the banks perspective, a "device" is a passkey. One can revoke passkeys in the web interface. Passkeys can be securely synced between devices. One could even create a PWA, no native app needed.