I keep interacting with systems-- like my bank, etc.-- that require (or allow) you to add one or more trusted devices, which facilitate authentication in a variety of ways.
Some services let you set any device as a trusted device-- Macbook, desktop, phone, tablet, whatever. But many-- again, like my bank-- only allow you to trust a mobile device. Login confirmation is on a mobile device. Transaction confirmation: mobile device. Change a setting: Believe it or not, confirm on mobile device.
That kind of makes sense in that confirming on a second device is more secure… That’s one way to implement MFA. But of course, the inverse is not true: If I’m using the mobile app, there’s no need to confirm my transactions on desktop or any other second device, and in fact, I’m not allowed to.
But… Personally, I trust my mobile device much less than my desktop. I feel like I’m more likely to lose it or have it compromised in some way, and I feel like I have less visibility and control into what’s running on it and how it’s secured. I still think it’s fairly trustworthy, but just not categorically better than my Macbook.
So maybe I’m missing something: Is there some reason that an Android/iOS device would be inherently more secure than a laptop? Is it laziness on the part of (e.g.) my bank? Or is something else driving this phenomenon?
They’re more locked-down by the manufacturer than desktops, so they’re more “trusted” by corporations to act in corporate interests at the expense of yours.