> I do create an ephemeral Apple ID every time I get a new phone
In other words, you do have an in-use apple id at (pretty much) all times.
> I do create an ephemeral Apple ID every time I get a new phone
In other words, you do have an in-use apple id at (pretty much) all times.
Sure, but it has no value and nothing negative happens if it is revoked.
Further: the three apps I install are not crucial - I could live just fine without them. All I really need is Safari and a working POTS endpoint for my cloud-hosted phone number ...
It's nice that this works for you, but unfortunately I strongly suspect that you are part of a tiny and shrinking minority.
Not every service provider offers a web app anymore, and if they do, it's often penalized in terms of functionality or fraud screening hoops one has to jump through (since mobile apps offer device attestation and generally have a higher cost per bot action than browsers). Some even outright demand device attestation, which not only excludes non-iOS/Android devices, but even custom ROMs or non-Google-blessed phones, since they lack the necessary keys.
And yes, people could protest that by just not using these services if they're not strictly necessary to survive, but the dynamics here (tragedy of the commons etc.) just don't work in favor of individual people.
Curious: How do you do your banking? Most of my banks de-facto require an Android or iOS app for authentication, unless you want to do all your banking in person and pay hundreds of Euros in fees every month (and even that would exclude you from many services).
I am a US person and the four (three very large and one smaller, regional) banks that I use do not have any such requirements.
Web based online banking (since nothing related to banking requires 3D or VR/AR or camera/mic access or other fancy things that apps do) and 2FA auth. That is all I have ever seen or used.
The big difference is that, historically, there wasn't much you could do in a US bank's online banking other than checking your balance and maybe initiating a wire transfer (which usually costs double-digit USD amounts in fees, so it can be economically secured by manual human fraud investigation for every case).
By contrast, all European bank accounts offer outbound payments, which nowadays clear and settle instantaneously. The fraud risk is just orders of magnitude higher.
The US now has Zelle, which is actually showing just that friction and not going especially well for banks that were kind of blindsided by the sudden requirement to actually authenticate their customer, which is why you see all kinds of strange stopgap solutions mixed with proper security.
In the EU, banks are AFAIK banned from using SMS 2FA, and the 2FA needs to be tied to the specific transactions. Which nowadays de facto means a bank-specific (sometimes country-specific) 2FA app, possibly with the alternative option of purchasing a pricey dedicated 2FA device.
> In the EU, banks are AFAIK banned from using SMS 2FA
That's not the case, but SMS-OTP only counts as one "possession" factor, leaving only "knowledge" or "inherence" for the second one, and both are awkward to ask for in a payments flow. (You don't want to train users to enter their bank's password at a merchant site, and biometry/inherence isn't easily possible from an untrusted device.)
By contrast, doing biometry on a linked device provides two factors (possession of the device and inherence), and is significantly cheaper than SMS too. SMS in Europe can be pricey!
As a tangent, they are in fact banned from using email as a factor, which I find infuriating – my mailbox seems much better protected than my SIM card or phone number, which is one successful attempt at social engineering away from being swapped out or ported away. The SMS industry must be pretty good at lobbying.
For the sake of completeness I will mention that one US bank that I use, Wells Fargo, issues the classic RSA keychain tokens:
https://www.wellsfargo.com/biz/online-banking/securid/
... which is quite simple and cheap ... and can be used in place of SMS 2FA.
The fact that these tokens exist and are so simple to deploy and use really deflates any claim (by banks) that banking and/or auth apps are required. It causes one to consider what the real motivation is behind the bank desperately pushing customers away from the simple and adequate web service towards the apps.
something something anti-fraud something something PM's promo packet something