I am considering changing to an open source smartphone. However there are some apps that I must have, like authenticator, mobile bank and government apps. Does anyone have any experience with any of these brands, what are they like and also is it possible to install android apps?
Unfortunately, in the country where I live pretty much everything requires requires a 2fa app from the government and also my job requires a 2fa app in general, so not having those would make the whole device useless.
That is too bad. Scary what the government can do. Sounds like you will need two devices if you care to have one that is open source.
Requiring 2FA is a good idea though.
There are plenty of 2FA apps you can use that aren’t made by the government and will work fine on any phone.
2FA isn’t the problem. It’s being required to use a specific app.
My guess would be that a 2FA app from the government is likely using PKI (private + public keys) or something similar, rather than a basic TOTP algorithm. There’s not really a generic app for something like that. Many services are moving away from TOTP since it’s not phishing-resistant.
Nothing is phishing resistant though?
FIDO2 tokens (like Yubikeys and passkeys) can’t be phished.
Yes, it’s as easy as with the TOTP app. A message that says “ok, now tell us the code”
FIDO2/WebAuthn hardware tokens don’t use a code. That’s why they’re phishing resistant. You have to press a hardware token (usually plugged in via USB) to authenticate, but it doesn’t do anything obvious on the screen like type a code. On mobile, these tokens usually use NFC, so you just tap the Yubikey or whatever to the back of your phone.