As others have pointed out, it’s not an extra layer. This is just security theatre. Monzo used to treat biometrics the same way, annoying a good number of us. I would even go as so far to say that it’s not even security but rather a poor and lazy implementation of biometrics.
A few folks above however are wrong in that you can add another Face ID scan and get in that way. Face ID to access apps is only supposed to work with faces set up prior to you enabling the option with the app. So if someone were to set up a new Face ID scan, it should not be working to access First Direct, instead First Direct should not be recognising the face, and default to the fallback. If someone disables Face ID, they would need to access the app via the method it used prior to enabling Face ID. It doesn’t just fall back to the device passcode like some have suggested.
It’s a good step in the right direction, and I hope it remains when face masks are no longer the norm too. It’s incredibly important to be able to bypass biometrics at times, for a variety of reasons. I would personally like Monzo to go a step further, and use their own fall back if Face ID were to fail for some reason. That way they’re not relying on the same passcode used to access the device.
With respect, they are dead wrong.
I’m of the opinion that it’s both. I won’t go into too much detail because discussing criminal acts is in violation of the community code of conduct here, but with the information I can (if I were a threat actor) gather from just read only access to the data would be sufficient to defraud you in some form another, that’s a security issue. I can also learn tremendous amounts about you, which is the privacy issue. Both are important and should be safeguarded, by default, to the best of Monzo’s ability. Just as long as they don’t go too far and cross into security theatre.
Here’s another security issue with their approach that I’ve brought up quite a few times.
I would assume they just don’t fully understand the nuances, as authorities rarely do, and often have to bring in experts to try to explain it to them when an issue arises. Regulators were quite fine (or just blissfully unaware and didn’t care) with TalkTalk storing sensitive customer data in plain text, until they got hacked. Nothing major has gone wrong with Monzo’s approach to warrant any scrutiny from the authorities, but that doesn’t mean it won’t happen. In my professional opinion, Monzo is not, by default, secure enough, so it’s only a matter of time.
There are so many topics on this issue already though, could they be merged?