It is becoming increasingly difficult to avoid using a smartphone - I do have one but hate it.

I don't have a VM suggestion, but I'm in a similar situation.  I keep my phone tethered to one place at home, and never access it directly, or take it with me anywhere.  I installed a Lineage OS on it, and make use of the multiple user accounts feature.  The primary account only has free software.  A secondary account has only "important" things like banking and government stuff, and a third account has only relatively untrusted apps that I might need once in a blue moon.  I have ADB over TCP enabled on a Wireguard VPN, and access my phone from my desktop or laptop through scrcpy[1], and I have Termux installed on the primary account, with an sshd server running at boot, listening on the VPN too.

[1]: https://github.com/Genymobile/scrcpy

dDepending on your needs, Genymotion (https://www.genymotion.com/product-desktop/download/) may work

It's spyware. They track you. Otherwise, yes it's the best but requires virtualbox.

But then you've got your entire life on that little device where ever you go and can potentially lose it and control of your life right along with it.

Not to worry . . . There is a solution for some of that. It's not easy to "lose" a tiny sub-dermal chip containing all your important personal info!

Note that a voip connection is still working for me on an ancient set of Panasonic phones that a friend handed down to me over a decade ago. My "emergency" cell phone has the battery removed and I have no idea if it would still work to make a 911 emergency call which is why I bought it a very long time ago.

PS: fdroid works flawlessly on fydeOS without having to set android rom stuff up.
https://f-droid.org/

I do agree with the OP complaint about the trend towards forcing everyone to use smartphone apps (either iPhone or Android) to interact with businesses. I've not encountered the banking restrictions talked about, yet, but now I am worried. I hate the idea of having access to all the critical details of my life on a portal device that I may have to carry around just for safety. You need a phone to get help on the road if your car breaks down, for example. But then you've got your entire life on that little device where ever you go and can potentially lose it and control of your life right along with it.

The OP asked about much more than that.

The OP asks about running apps without a physical phone, and gives a couple of generic examples with no implementation details.
*you* moved the goalposts by adding custom authentication and token generators.

If you have a working crystal ball, feel free to open-source the schematics. Otherwise you're putting words in somebody else's mouth to further your own agenda.
If what what you really want to do is shoot down every suggestion so you can whine about "big tech" control some more (with much talk and no action of course), you do you... But constant "old man yells at cloud" bitching (a common pastime around here apparently) never achieved anything constructive.

GSF has built-in 2fa authentication for apps to use, with various levels of physical device integrity checks. Whether a specific app uses it or rolls their own is up to the app developer. Even when they do roll their own 2fa auth, they're likely going to be using GSF to verify the integrity of the app, OS, and device before they allow you to start that process.

Unless you are somehow under the impression that there is only one bank in the world, with one app, you're making the assertion that your personal situation with your particular bank is also the only one the OP could possibly be in. This is infantile.

Which is why authentication is (or should be) handled server-side, and any on-device security handled by widely deployed, trusted frameworks. The "app" can then be (and IME often is) little more than a thin interface for the web api, with hooks into GSF for 2fa.
If an app does require integrity checks (e.g. allows fingerprint or facial recognition auth and does it on-device), that's exactly what the android integrity and hardware crypto apis are for. Most apps use those, because security is hard and reinventing wheels is stupid... They're also far more secure than relying on something like cell network registration / IMEI, which is notoriously easy to screw about with (see many real-world examples of sim-swapping / device cloning attacks).

My bank also has an app, it's not mandatory, it only uses 2fa for initial setup, and it works perfectly in a VM. The same goes for a host of "special deal only in our app spyware" situations, virtual boarding passes, concert tickets et al., extracting login tokens or DRM decryption keys for reuse in third-party apps, and countless other things besides.

The OP asked about much more than that.
Running in an emulator is only a necessary part of what OP ultimately wanted to do.

The app the OP refers to is the bank's custom application running on a smartphone in the way I previously described.

So the answer to the question/s I posed in my previous post would seem to be a hard no.

Exactly.

As far as I can tell, Google et al have absolutely no involvement (at least for the time being) in the client <-> bank transaction through their authenticating servers, none whatsoever.

Banks are run by experienced white collar crooks, not idiots.

Many years ago, I tried to log into one of my bank's websites using the Tor browser, thinking it would be better and safer.
It took a few seconds to get kicked out of the session and instantly get an email summoning me to the head branch to speak with an accounts officer who, sternly produced a disclaimer for me to sign because "third party malware had been detected during my last log in" and assume full responsibility for whatever could happen, lest they terminate my account on the spot if I did not sign it.

Needless to say, he did not take lightly my asking if he was referring to the MS operating system (Win98SE) running on the boxes I used at the office and at home.

So no, for all the reasons I explained in my lengthy post, I do not think it is possible to avoid using a smartphone to do any banking unless the bank allows the use of an 'on-device' authenticator running on your smartphone, something that will never happen.

Basically because, among other things, it is an integral part of the the meta-data farming system that has been put in place in the past 5/10 years.
With no government oversight whatsoever.

Soon enough, you will not even be able to order a pizza at a resturant without a smartphone.
The absence of a printed menu has recently started to become a widespread trend.
ie: sitting at a table in the joint, you actually have to use a smartphone to see the menu on the restautant's web site.

And it is going to get worse.  8^|

Best,

A.

There are ways to spoof device attestation, but it's a cat-and-mouse game with google and far too complicated to go into here. Hit up xda forums.

Interesting.

Let me see if I understood this correctly:

Using one or any of the applications suggested above, I can log into my bank or whatever secure website requiring a website supplied token* and carry out my business without actually using a smartphone?

* the token sent by the secure server to a smartphone registered under my name with that same server but without using the smartphone in any way.

Yes?

That said, I do obtain secure access to a couple of secure websites using my browser.
But the token is generated by the smartphone itself (ie: me) via an app such as Aegis Authenticator.
All I had to do is copy a QR code generated by the owner of the website and apply it to the authenticator.

Any time I need to access that secure server, I first login to the website (with UserID+PW) and then use the authenticator to generate a six digit number (on demand) in order to complete my access.

No further process is carried out on or by the secure server.

Best,

A.

I'd suggest a version a year or two old, so as to avoid the worst of the Artificial Idiocy that google seems determined to infict on man + dog.

Indeed ...
The final objective is that everyone uses a smartphone for everything.

Same here.
And the local telcos do not offer any dumbphone options.

A local doctor's association (or whatever it is) has intere$ted / offered their associated physicians access to a dedicated website where, instead of handing you the usual hand written prescription while you are in front to them, they will send it to you via email.

To that effect, all your data and prescription history is stored (safely, never shared or sold mind you) in the association's server.
Not only that, it seems that the chaps actually get some cash for every patient that gets uploaded to the data base.

Like my proctologist's secretary ignorantly explained: "the Dr. saves time when not having to write the prescription".  8^D !!!

The bank where I get my pension deposit and have been a client for more than 25 years one day decided that I would no longer be able to transfer money between my account and any other account (mine or not) if I did not have a token which was (to them) the only possible way to ID myself before the bank's infrastructure if I was using their website.

Gone was the 2FA Auth I had been using and as you would expect, said token could only be generated by an app running in a smartphone I did not have (used a Blackberry at the time).

Needless to say that the process of installing the app involved (you guessed it) uploading photos of your mug like if you were being processed for murder. ie: front / right / left / smiling / not smiling and so on. It's a wonder they did not also want a photo of my tonsils.

I could go on as examples of this bulshit abound so I will stop now and explain why all this is happening worldwide:

It is all about control.
A smartphone is basically a tracking device and all these app shennanigans are meta-data harvesting procedures.

The moment you get your mug shot on-line is the moment it is shared worldwide, istantly associated to all the information you shed permanently with absolutely everything you do with a smartphone. eg: banking, digital wallet payments, etc.

The added bonus for banking institutions is that, sooner than later, any and all client banking activity will have to be done via a smartphone.
Forget your secure Linux box behind a router / firewall at home and, to their shareholder's delight as all their clients will then work for them, welcome to the world of banks without branches, ATMs, tellers, employees, etc.

Like stores of all sorts that, as time goes by, have more self-service checkout tills and less cashiers or humans: you are both the employee (weighing/sorting/checking out the goods) and the client (paying for it all).

I flatly refuse to use them and point out to the employee at the till that if I do, eventually they will be out of a job, a job which they are good at.
Their reply? "I find it very helpful, especially when there are many clients in the store"
Unbelievable.

I do not think there is one and given how the system works, I there will not ever be one.

This because the key to all this is that the app runs on the smartphone, ie: the portable data harvesting device registered (via an IMEI <-> your ID pair) to you and working with / through the telco's infrastructure which is (obviously) linked to the rest of the world-wide telco infrastructure and whatever other infrastructure feeds from it.

As far as I know, it is impossible to access that infrastructure directly with a computer / emulator but you can do it if your computer accesses it via your smartphone, I believe there is such a thing for whatsup. You would need to fake quite a few things, the main one being a valid IMEI / your ID pair.

Soon there will be no way of using any telco infrastructure without a registered smartphone.

No dumphones or burner phones will be allowed and all communication devices will have to be linked to a valid ID, meta-data* included, of course.
* full name, address, full facial recognition data, some ID number (passport, etc.) and who knows what else.

Best,

A.