They’re adding a PIN, etc. soon…
Yippee, about time too 
at the moment I have to opt for Starling just because of the data privacy
But wouldn’t your phone’s passcode already take care of that? And if there is no passcode are you sure you don’t have anything else you wouldn’t want your friends/family/kids to see on your phone? Personally I would be worried about my email or photos more than anything else.
1 Like
You may have your phone encrypted and pin protection enabled but when you have your phone unlocked perhaps to let friends view photos or your partner to send an email you may not want them accessing your bank account (even by accident instead of intention) and with every other banking app whowever crap it may be at least I know the casual browser won’t stumble on my account history with one click
3 Likes
As long as it’s optional I don’t mind but I definitely don’t want it forced on me.
1 Like
Yes. Surely it is not the most complex thing to incorporate a PIN, and with all the time they have spent explaining why they don’t think we need to secure our data it could have been done by now
1 Like
I’m sure that the team are more than capable of adding a PIN to the app, they’re building a bank after all 
The challenge is coming up with a secure recovery process for that PIN if it’s forgotten. Can you think of one?
2 Likes
To be fair, I don’t recall the Monzo team spending much (any?) time explaining why this feature isn’t needed. That’s all been us forum members discussing back-and-forth (with a lot of repetition 
). I think all the Monzo team have said is that this feature will be coming to Android, so the opposite of trying to convince us it’s not needed.
At this stage, we’re all participating in a beta service which is not complete, that’s part of the deal. Those who are unhappy with it (for whatever reason) can sit it out and reevaluate once the current accounts are available in < 6 months. 
4 Likes
Well actually if you want the PIN to remain after an app reinstall they would have to also enforce it on the server and implement a recovery method, so it’s not that simple.
2 Likes
Also ideally you want recovery to not use the chat if possible - support is a costly resource.
Some methods I can think of (assuming the app pin is different):
- Card PIN Change
- Make a (PIN required?) transaction or deposit
- Name Historic Transactions
- Name Personal Details
But definitely a substantial bit of work to implement any of them.
The Starling app uses the phones lock screen to unlock the app when you disable the ‘Application Passcode’ (which I’ve switched to to enable fingerprint unlocking). I’d be happy with that
2 Likes
Reinstalling the app? 
2 Likes
Hmm, that’s no good, because uninstalling the app is usually doable without any PIN, just drag and drop on Uninstall. It would need to be reinstall + something to verify once you install it again, otherwise it’s few mins to uninstall and set up app with new pin, making whole pin endeavour pointless! 
edit: Unless it was sarcasm/joke and I didn’t get it at first!
2 Likes
No it wasn’t sarcasm or joke. I’m serious and have tried making this point ad nauseam in this very same thread above.
We already fully 100% rely on emails for logging into Monzo. Even iOS users have to set up fingerprint/PIN security AFTER installation. I could access ALL of your information via API and developers.monzo.com if I had access to your emails, which I would if you had handed your phone to me unlocked. in-app PINs or fingerprints are not stopping anyone from reinstalling, they are just a fence that limit casual entry as per following description.
If you are not happy with being able to reinstall the app afresh then it’s not a PIN/fingerprint you should be requesting, but a complete redesign of Monzo’s login system with passwords/codes on the server side and no magic links through email. That however is a different topic which has been extensively discussed elsewhere here even though I’m useless at searching and can’t provide you with any links. 
EDIT: Having PIN codes/passwords on server side would mean that the PIN/fingerprint would make the app inaccessible while off-line.
EDIT 2: I like the magic link login as it is, mentioned passwords only to provide perspective.
2 Likes
I’ve seen few implementations… For example, Lastpass can have vault accessed while offline, providing password. Password is stored locally and is used to decrypt content of the vault. Vault won’t be updated or anything, but most recent version of the vault can be accessed while offline. I guess if you change ‘vault’ into ‘transactions’, same method would work.
That being said, lastpass’s password is not stored on lastpass’ servers.
Challenge mentioned earlier was ‘how to recover PIN if forgotten’. I assume that your suggestion means that new PIN can be setup when new instance of Monzo app appears on the phone? Reinstalling app as a solution to forgotten PIN, puts whole ‘how to make my transactions safe from prying eyes’ pointless. For example, if I have a jealous work colleague who wants to know how much I earn. Semi-skilled spy can snatch my phone, figure out my pattern, unlock phone, uninstall, install, set up new PIN and see transactions. Of course, I will find out once my old PIN won’t allow me to access app, but that’s too late.
If I misinterpreted your suggestion, please let me know, there were a few flying around and it all becomes a blur!
@bhonobo To clarify, what camp are you on? Have PIN or no PIN?
2 Likes
You are conflating Monzo’s overall authentication with a simple lock on the app. The master password in Lastpass directly compares to the email magic links, that you are required to authenticate every time you go back to the app is another thing.
Let me be cheeky enough to reword one of your phrases there and tell me how having a PIN in your app helps safeguard your transactions from prying eyes? (I have been kind enough to highlight the mods and add some comments).
if I have a jealous work colleague who wants to know how much I earn. Semi-skilled spy can snatch my phone, figure out my pattern, unlock phone, uninstall, install, set up new PIN[no need] go to https://developers.monzo.com authorise himself [If he can reinstall, he has access to emails, so he can do this] and see transactions. Phew, thank god your app had a PIN!! 
See, what you are asking for here is for Monzo to change their authentication method by adding a password/PIN at top server level. i.e. instead of magic links
Answered above, re-quoted myself below, but I will add: It annoys me that excuses are given for not including PIN when fingerprint is acceptable. The difference between them is aesthetic to the customer’s use. In the background they have to be treated equally, i.e. password/PIN or fingerprint keys need saved somewhere/checked at some point. There is no coherent argument for implementing one and not the other, yet there are ample reasons to implement PIN (dodgy fingers and androids with no scanner).
Having a server-side password does not prevent offline access. There are plenty of commonly implemented technical solutions to this issue.
It seems like Monzo are in the process of implementing optional server-side fingerprint/PIN so I don’t see why we all don’t relax a little and see what they deliver?
4 Likes
Well, I’m doing baby steps regarding what I might want and it’s hardly focused on long-term approach. 
PIN is better than no PIN, and for me PIN > fingerprint personally. I can totally see what you meant with authorising API, that’s would be useless to have PIN in the app, but nothing special on the API.
Your earlier post escaped me, I remember reading it, but didn’t link it was you, apologies! You seem to actually sit quite close to my opinion, but I’m not sure there’s a reason to discredit recovery process - it just needs to be designed in a way that makes sense, as well as have other avenues of spying taken care of!
I’m upping my security across multiple websites, enabling 2FA where it matters. I’m okay that Monzo is somewhat in early stages and I can wait until something solid appears. I don’t suspect Monzo to slap easiest, rubbish solution, but then I have to accept that more solid solutions need more time. I’d be keen to see how current accounts look like.
2 Likes
Just replying to apologise about the sound of my post 
Don’t know what’s wrong with me, I think I need a holiday 
1 Like