You'll then get more warnings if you want to give the sideloaded app additional permissions. And if they want to make the sideloading warnings more dire, that wouldn't be nearly as unreasonable.

the main issue is the bank using sms and OTP apps instead of something like passkeys and mandatory in bank setup.

One of my banks uses a card reader and pin to log in, seems more secure.

Pins can still be phished. Just make the phishing a live proxy resembling the real site.

A fundamental difference with e.g. FIDO2 (especially hardware-backed) is that the private credentials are keyed to the relying party ID, so it's not possible for a phising site to intercept the challenge-response.

That’s just as bad. You need to take out the human error out of the equation.

> The bank will NEVER ask you for this code!

> Please enter the code we sent you in the app.

lol, lmao even