If this is similar to LineageOS, then it's always potentially only a matter of time until some banking and payment apps stop working due to failing security attestation pushed by a Google update.

We need native apps that pass attestation out of the box for that phone/OS, not relying on hacks that may or may not work in the future.

This is not good UX and it poisons the well if you push users to a new platform then they discover some apps don't work as you promised.

Beats me why banks can't use a FIDO2 enabled web site.

Because FIDO2 is not enough for non-tech-savvy people. The main issue is potential confusion about what transaction they’re actually signing. For example, a malicious browser extension can pretend the site sends money to X while actually sending it to Y.

The European PSD2 directive mandates that the 2FA scheme must let the user see what they’re about to sign. At the very least, that includes the amount and part of the recipient’s IBAN. FIDO2 doesn’t have that.

It’s the reason I own a device that looks like this [0]. Without it, I wouldn’t be able to transfer money at all due to the lack of banking apps that work on Linux phones.

[0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program

Banks used to give us those RSA tokens in the past for securely logging in to the web UI, but then discovered they can cut down on cost since everyone has two brands of smartphones.

No doubt. At least with FIDO2, people can provide their own hardware key, and get real security rather than a rolling number generated by a compromised algorithm [1].

[1] https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_...