> Do you think banks are using attestation gratuitously?

What I'm claiming is that banks have the freedom of offering their customers 2FA other than smartphone apps.

> Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical?

All the phones I own, including my daily driver, run some flavor of Debian. None of them support hardware attestation.

I'm in Europe, bound by PSD2, and own a couple of cheap, certified chip-and-TAN devices so I can do banking.