How many people do you think will be able to secure their access?
And what happens if their computer is hacked, the credentials stolen and the accounts emptied?
It's not hard for me to imagine developers saying, "hey, we all know computers get hacked, it is the bank's job to know when its really me versus when someone stole my API keys. What a shitty bank. I'm expecting all my money back"
How is that any different with web interfaces? Or are you saying that people should just generally not be able to use their own computers for banking purposes?
> API keys are stored on the computer (even accidentally pushed to github, etc)
Then ... create an API without "API keys"?!
> Credentials for web interfaces are stored in our heads.
So ... store the credentials for the API in your head then?!
> People are still able to use their own computers - via the web interface, which is under the full control of the banks.
Erm ... no, it's not? The bank sends me IP packets, what happens with those IP packets is completely under my control (or under the control of anyone who happens to have compromised my computer, for that matter). I select what web browser I use. I could write my own web browser. Or modify an existing one. Or run it under a debugger. Or just not use a browser at all. What my computer does with the IP packets my bank sends me is completely out of the bank's control.
And what happens if their computer is hacked, the credentials stolen and the accounts emptied?
It's not hard for me to imagine developers saying, "hey, we all know computers get hacked, it is the bank's job to know when its really me versus when someone stole my API keys. What a shitty bank. I'm expecting all my money back"