Yeah, so you admit there's no real legal basis for those kind of restrictions.
Which anyone of us who worked with banks, mobile, banking security and their legal already knew. They're a source of greatest security hits like "let's use SMS for only auth for web banking" after all.
But what's really hiding behind all your fluff is something else:
Abusing users with root lockouts is EASY for the programmers at banks. The auditors have a checkbox "root lockout" and they tick the box. Legal ticks the box. CISO ticks the box. All happy, who cares about user. That's what this is all about. The insulting thing is trying to sell it like some kind of security feature.
The regulations are the "real" legal basis. The fact you don't like them or how they're written doesn't make them any less real. And you're not arguing with me or my "fluff", you're arguing with the entire banking industry.
If you really think this is all just fluff, by all means, go get yourself employed inside a bank's security team and convince them to turn all this stuff off. Let us know how it goes.
Which anyone of us who worked with banks, mobile, banking security and their legal already knew. They're a source of greatest security hits like "let's use SMS for only auth for web banking" after all.
But what's really hiding behind all your fluff is something else: Abusing users with root lockouts is EASY for the programmers at banks. The auditors have a checkbox "root lockout" and they tick the box. Legal ticks the box. CISO ticks the box. All happy, who cares about user. That's what this is all about. The insulting thing is trying to sell it like some kind of security feature.