App Face ID security

When I use FaceTime to access my First Direct App it does not give me the option to sign in using my phone passcode, no matter how many times I try. I consider this to be an additional level of security.

The Monzo App allows you to enter the phone code if FaceTime fails. I realise some people want this option but can’t both options be catered for in the Monzo App settings?

So you’re saying that using the phone unlock code to get into Monzo (when FaceID fails) is insecure, are you? Because the last sentence you’ve written is unclear.

Monzo is doing it correctly as per the Apple guidelines.

1 Like

I’m just saying my existing bank (First Direct) only accepts my face and doesn’t let me bypass to pin.

I like this extra level of security.

I thought Monzo would be interested in what other banks offer but maybe not.

Nobody who has commented works for Monzo.

1 Like

Using the phone passcode you can turn faceID on and off in the phone settings or add new faces to it, and therefore bypass the first direct apps entry too, so it’s not an additional layer of security.


I had not thought of that :blush: thank you for your comment.

EDIT: just tested your suggestion and turning off FaceID makes the First Direct app revert to their secure password.


If First Direct doesn’t get a facial recognition it backs up to a password.

On this forum we’ve been through this many times. Monzo doesn’t believe it’s approach to be any less secure, because you are still required to authorise transactions, just at the time of making them.

You are talking about a privacy issue, access to information about your account. One could argue that the reams of letters FD sends out in the post are also a privacy weak point.

As nothing on the internet is 100% secure there is always a trade-off between security and ease of use. Every bank, including Monzo, pitches its access somewhere on this continuum, and it is for you to decide where you’re happy to sit.

But this has been raised again and again, and Monzo hasn’t ever changed its policy. Being as security is vital to Monzo’s ongoing authorisation to trade as a bank, I would assume the authorities are also fine with its approach, and Monzo isn’t going to adopt what FD does.

I don’t understand what’s wrong with that it’s more secure but no more hassle to access. I didn’t realise this exact suggestion has been covered again and again. Thanks for letting me know.

I’m new to Monzo so I’ll see how I find using it and what further security I require when making payments before I decide if I’m comfortable with it. Thanks again.

A pin is more secure and you’ll always need the pin before paying someone etc.

Opening the app is up to you entirely. You can use FaceID, you can use a pin (after FaceID) or you can use nothing at all.

What about just adding a new face to faceID though? Have you tried that?

Your right! You can just set up an alternative appearance. :pray:

Do I just delete this topic or close it in some way.?

Just leave it here, if anyone has the same though they might search first and find this (in some sort of ideal world).

And then maybe people just want to chat about FaceID security, we are kinda like that after all :nerd_face:


I believe these were introduced so folks wearing masks in shops or on public transport could unlock their App when Face ID fails.
Seems as secure as Face ID, as someone mentioned it’s following apple guidelines.

As of August.

As others have pointed out, it’s not an extra layer. This is just security theatre. Monzo used to treat biometrics the same way, annoying a good number of us. I would even go as so far to say that it’s not even security but rather a poor and lazy implementation of biometrics.

A few folks above however are wrong in that you can add another Face ID scan and get in that way. Face ID to access apps is only supposed to work with faces set up prior to you enabling the option with the app. So if someone were to set up a new Face ID scan, it should not be working to access First Direct, instead First Direct should not be recognising the face, and default to the fallback. If someone disables Face ID, they would need to access the app via the method it used prior to enabling Face ID. It doesn’t just fall back to the device passcode like some have suggested.

It’s a good step in the right direction, and I hope it remains when face masks are no longer the norm too. It’s incredibly important to be able to bypass biometrics at times, for a variety of reasons. I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.

With respect, they are dead wrong.

I’m of the opinion that it’s both. I won’t go into too much detail because discussing criminal acts is in violation of the community code of conduct here, but with the information I can (if I were a threat actor) gather from just read only access to the data would be sufficient to defraud you in some form another, that’s a security issue. I can also learn tremendous amounts about you, which is the privacy issue. Both are important and should be safeguarded, by default, to the best of Monzo’s ability. Just as long as they don’t go too far and cross into security theatre.

Here’s another security issue with their approach that I’ve brought up quite a few times.

I would assume they just don’t fully understand the nuances, as authorities rarely do, and often have to bring in experts to try to explain it to them when an issue arises. Regulators were quite fine (or just blissfully unaware and didn’t care) with TalkTalk storing sensitive customer data in plain text, until they got hacked. Nothing major has gone wrong with Monzo’s approach to warrant any scrutiny from the authorities, but that doesn’t mean it won’t happen. In my professional opinion, Monzo is not, by default, secure enough, so it’s only a matter of time.

There are so many topics on this issue already though, could they be merged?

You clearly know your stuff but just to be clear, I’m requesting what I get on the First Direct App and that is that if Face ID fails it doesn’t ask for the phone pin but asks for first direct passcode instead.

Isn’t that exactly what your suggesting when you said “ I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.”… or am I missing the point yet again?

1 Like

You’re not missing the point at all!

It sounds like we both suggest and want the same functionality!

I would encourage you to vote on the suggestion here, as it’s where this particular issue is already being discussed:

Agreed. I have done as you suggested but both that thread and this one went off topic and I don’t feel they requested the following exactly…

“I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.”

I would append this to my original request to clarify but I can’t. Here’s hoping that someone at Monzo gets this far down the thread and reconsiders this functionality.

1 Like

You are right, but if they have your pin, then there’s not a lot they can’t do.

They would just do “forgot login” details and then it will either come through as a 2FA for email/text or something.