When I use FaceTime to access my First Direct App it does not give me the option to sign in using my phone passcode, no matter how many times I try. I consider this to be an additional level of security.
The Monzo App allows you to enter the phone code if FaceTime fails. I realise some people want this option but can’t both options be catered for in the Monzo App settings?
If First Direct doesn’t get a facial recognition it backs up to a password.
On this forum we’ve been through this many times. Monzo doesn’t believe it’s approach to be any less secure, because you are still required to authorise transactions, just at the time of making them.
You are talking about a privacy issue, access to information about your account. One could argue that the reams of letters FD sends out in the post are also a privacy weak point.
As nothing on the internet is 100% secure there is always a trade-off between security and ease of use. Every bank, including Monzo, pitches its access somewhere on this continuum, and it is for you to decide where you’re happy to sit.
But this has been raised again and again, and Monzo hasn’t ever changed its policy. Being as security is vital to Monzo’s ongoing authorisation to trade as a bank, I would assume the authorities are also fine with its approach, and Monzo isn’t going to adopt what FD does.
I believe these were introduced so folks wearing masks in shops or on public transport could unlock their App when Face ID fails.
Seems as secure as Face ID, as someone mentioned it’s following apple guidelines.
As others have pointed out, it’s not an extra layer. This is just security theatre. Monzo used to treat biometrics the same way, annoying a good number of us. I would even go as so far to say that it’s not even security but rather a poor and lazy implementation of biometrics.
A few folks above however are wrong in that you can add another Face ID scan and get in that way. Face ID to access apps is only supposed to work with faces set up prior to you enabling the option with the app. So if someone were to set up a new Face ID scan, it should not be working to access First Direct, instead First Direct should not be recognising the face, and default to the fallback. If someone disables Face ID, they would need to access the app via the method it used prior to enabling Face ID. It doesn’t just fall back to the device passcode like some have suggested.
It’s a good step in the right direction, and I hope it remains when face masks are no longer the norm too. It’s incredibly important to be able to bypass biometrics at times, for a variety of reasons. I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.
With respect, they are dead wrong.
I’m of the opinion that it’s both. I won’t go into too much detail because discussing criminal acts is in violation of the community code of conduct here, but with the information I can (if I were a threat actor) gather from just read only access to the data would be sufficient to defraud you in some form another, that’s a security issue. I can also learn tremendous amounts about you, which is the privacy issue. Both are important and should be safeguarded, by default, to the best of Monzo’s ability. Just as long as they don’t go too far and cross into security theatre.
Here’s another security issue with their approach that I’ve brought up quite a few times.
I would assume they just don’t fully understand the nuances, as authorities rarely do, and often have to bring in experts to try to explain it to them when an issue arises. Regulators were quite fine (or just blissfully unaware and didn’t care) with TalkTalk storing sensitive customer data in plain text, until they got hacked. Nothing major has gone wrong with Monzo’s approach to warrant any scrutiny from the authorities, but that doesn’t mean it won’t happen. In my professional opinion, Monzo is not, by default, secure enough, so it’s only a matter of time.
There are so many topics on this issue already though, could they be merged?
You clearly know your stuff but just to be clear, I’m requesting what I get on the First Direct App and that is that if Face ID fails it doesn’t ask for the phone pin but asks for first direct passcode instead.
Isn’t that exactly what your suggesting when you said “ I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.”… or am I missing the point yet again?