There's a trend of online banks forcing the use of an app. I can't login to one of my banks' website since last year without using a QR code from their app.

Of course they slathered the app with tracking, 'security', and analytics SDKs, so rooted devices are rejected. I had no way to log into this bank account after they made that change, which is simply wonderful.

Anyways, they're not yet at the point where they've learned to do the checks server-side. For now it's a one line patch to skip the root screen. But the Play Integrity API is designed correctly, if they learn to use it, there will be no workaround without someone finding a hardware vulnerability somewhere.

Eventually though I suspect that web access to banks will be rescinded too, much like HMRC in the UK no longer permits companies to submit their taxes through the websites.

In the future, everything will need an 'app'.

Thai banks are required by regulation to have facial recognition when transferring over 50k THB in one transaction or cumulative in a day. I believe most banks have shutdown their internet banking as it's not worth it for the low number of users to implement web-based secure facial recognition that don't allow you to feed spoofed video input. One of the bank that I use will send a push notification to their mobile app for you to confirm the transaction.

I believe that previously internet banking, even before mobile banking, will limit the number of transfer recipients you can add per day/month. With the rise of QR payment I could see this limit being regularly hit if you scrape the web-based banking.

Since the Bank of Thailand claims that they technically don't block many things (mobile banking technical requirements seems to also require blocking root, but they never banned internet banking), I wish there's a new bank that try to disrupt the existing players. But the latest "branchless" banking license were only acquired by existing banking groups, so API-first personal banking remain impossible.

Maybe a tiny difference though is that a phone is moved all day long, with a lot of people around to mess with or pick it. Your laptop is a bit larger and your desktop .. well is behind your door. But yeah ultimately a bank should not rely on phone OS to have security.

TD Canada is forcing me to use their app. Every time I make an online transaction which to them is too large or fishy in some way, they make me login into the app on my phone to approve the transaction. That's the only way.

In Hungary, where the central bank created the same rule about not allowing banking apps on "unoffical" devices, they do, but you need either the app or SMS for 2FA. Apparently they consider SMS secure...

There has been a trend away from this over the past decade. Some banks require mobile apps for some or even all interactions.

The banks that allow you to do everything on their website trend towards legacy and US-centric.

yes. and the websites require you to verify transactions with (unrooted?) phone.

on the other hand phone does not require you to verify with your pc, so there's no second factor unless there is some unacessible secure island within the phone itself.

funny enough, you can probably use that website directly on the phone that you use as 2F, which probably circumvents the 2F idea (at least as long as you use SMS 2F instead of app that checks for root)

They usually have a mobile companion app where you need to confirm login.

I assume the bank apps have functionality that their websites lack. Like being able to tap to pay for things, etc. Where a rooted phone might make fraud easier. If not, then this really makes no sense.

JPMCB Chase only allows an APP for 2FA auth

I mean, if it's like Ireland, then no.

While they (mostly) have websites, a computer with root access is not sufficient by itself to access them. You also need to perform 2FA via push notification to a proprietary app on an Apple or Google approved device.

Yes, but a web browser doesn't run HTML + JS as root.

In some countries, it's already impossible to make online payments without the bank's phone app. Only a matter of time until all banking is restricted to phones.

Many people also use their bank's app for mobile NFC payments though (more of a thing in EU than US), which you can't easily do with a device that doesn't fit in your pocket.