Felicitas Pojtinger 🌅New idea: Neobank specifically for digital sovereignty, from the app running on Linux/without SafetyNet and other nonsense to the servers running on local infrastructure
People need banking and payment apps to work on Linux mobile for it to work. Obviously the only real "fix" for this is a regulatory one that declares SafetyNet a monopolistic control mechanism, which it is. But also, with fintech stuff getting easier and easier, I wonder if creating at least an open _banking_ app should be possible. Yes, various countries require push-based 2FA, but nothing locks you into Google/Apple here on Linux. I wonder how the payments situation would be ...
darkdragon@pojntfx The relevant legislation regarding 2FA is the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2):
@pojntfx My understanding is that TOTP is not sufficient for 2FA because PSD2 SCA requires that for online payments, the authentication must be dynamically linked to the transaction's specific amount and payee. But maybe a standard JWT minting process could be enough (send request to the app, app signs the request with a private key potentially via TPM2, send the signed request back).
@pojntfx Maybe one could use passkeys for the signing part? So from the banks perspective, a "device" is a passkey. One can revoke passkeys in the web interface. Passkeys can be securely synced between devices. One could even create a PWA, no native app needed.