Thanks to everyone who voted in our recent thread to make a decision about building a PIN lock.
Here’s an update on what we’re thinking, and why it’ll be a little while longer before it’s released.
Let us know what you think below!
6 Likes
+1 vote for the emoji lock. Makes it visually distinctive as something different and a lot harder to use the same pattern as everything else as I’m guilty of doing (and probably others)
2 Likes
When is interest going to be paid on pots?
3 Likes
Defiantly love the idea of an emoji pin lock! 
Wasn’t keen or planned to use a basic number lock, hate remembering numbers. And it’s well know people more easily remember things rather than numbers making it more secure and less likely for people writing the pin down.
2 Likes
Not sure if it’s been mentioned already somewhere but these guys encode a PIN into a picture that you choose and then you point at certain memorable points on the picture. Looks pretty cool.
2 Likes
I must have missed the poll. I assume this is for people who don’t have facial or finger print recognition on their phones?
4 Likes
I certainly don’t want to use emoji as a pin. Would never remember it. Just use your primary account pin, sync it to the device at regular intervals (or push it from server on pin change) etc, simple.
Why the need to make it complicated.
5 Likes
I’d be more inclined to use numeric pin than emoji pin.
I feel like I’d be more likely to remember a numeric pin than emoji sequence.
It prompts a few Q’s though - how many emoji’s can I choose from, would the location on the keypad be fixed or alternate, is it basically assigning an emoji to a number (the demo has them mapped over a 0-9 keypad).
Am I more likely to remember “Thumb-Tears-Poo-Heart” than 5-1-4-2?
I guess if emoji-pins become common it would be harder to remember all of them than when only 1 service does?
Edit to add: I would rather the focus of this solution be whatever makes the most sense from a security point of view (ahead of form…). In the other thread there was a bit of “don’t be like legacy banks, challenge the norm”. But… If it aint broke don’t fix it?
2 Likes
I very much liked the BlackBerry 10 OS Picture Password. To unlock your device you would be presented with a picture of your choosing overlaid with a random number grid. Then you would tap anywhere on the screen and drag the number grid until your number is on top of a specific spot.
It was simple, reliable, fast, and safe. You could unlock your device multiple times in full view of someone else and they would not be able to guess how which number had to be moved to which position.
According to BlackBerry, it is resistant to smudge attached, shoulder surfing, and brute force attacks.
You can see it in action here.
I would be delighted to see this be the unlock mechanism.
4 Likes
Can’t you just ask for the devices pin to unlock the app then you don’t need an additional one or am I missing something here. This is how the fingerprint lock works, I don’t need to register a different finger just for Monzo 
5 Likes
The idea is that even if someone has access to your phone – temporarily or by knowing its PIN – they wouldn’t have access to your Monzo account.
The first time in human history that these words have appeared in sequence 
8 Likes
Storing your card’s PIN on the client would introduce an attack vector. We can’t do that I’m afraid. Either you lose offline access, or it needs to be a different pin.
10 Likes
The new pin won’t be mandatory, right? I really don’t need extra pin on top of my face (id)…
6 Likes
No, it’s for users who cannot access touch or Face ID for various reasons. Love the emoji lock but I’d never use it
The emoji pin looks fun and different but like someone else said I would never remember it! I think 6 digit is good I use my parents landline from growing up so easy to remember, definitely think interest on pots should be a priority and looking forward to that soon! 
I assume there would be a process for ensuring your actual card PIN isn’t contained within the lock code?
Having the Monzo App is an attack vector. You wouldn’t store the actual pin on device, that’d be stupid, just a has of the PIN. User enters ‘a pin’, if the hash of the entered pin matches the hash of the stored (last known) pin then access is granted.
Given that the ‘option 2’ is the one selected and designed, this question is only of academic interest anyway.
1 Like