Banking and security

No. Monzo doesn’t send those codes.

1 Like

There is always going to be some balance between security and usability.

For me banks need to move away from relying on phone numbers for verification. Sim swap can happen by mistake, as happened to a friend, when someone at their mobile company mistyped the last digit of phone number being setup.

1 Like

Some burglar alarm systems have duress pins typically your pin backwards. This alerts that you’re under duress. Something similar for a bank pin could be useful alerting the bank you’re under threat.

4 Likes

I’m not sure how well this could be implemented into the banking industry, but Google have rolled out Passkeys to everyone now

2 Likes

A few financial apps are already passwordless - e.g. Monzo.

1 Like

Passkeys are far more secure, and arguably easier and more convenient too.

Magic links rely on email integrity, which for most folks are not encrypted or access protected by multi-factor authentication.

Because of that, when setting up a new device for the first time, you need to go through the whole video selfie. Passkeys will eliminate the need to do that.

It’s far safer against scams, which is a particular vulnerability of magic links. And they can’t be phished. I get quite a few Monzo magic link emails that are not from Monzo. And the scarier thing about that, is the official ones from Monzo go into spam always. The fake phishing ones have made their way into my actual inbox, so the phishing emails can look and feel more trustworthy.

There’s definitely gains in both security and convenience for passwordless banks too.

I hope all banks adopt this. But I don’t see them replacing existing security theatre entirely, but rather tacking it on. So I hope the fintechs move to this approach (Chase are already best poised to adopt it with their current approach) as a complete replacement for what they already do once this is standard. In the interim it should an optional sign in method alongside magic links or whatever the current approach as recommended currently by the specs.

4 Likes

I agree. But here’s something I can’t quite get my head around:

As I understand it, passkeys are stored in your Google, Apple or MS accounts (you can port between them). But ultimately you still need to get into those accounts. It’s regressive, but your Google, Microsoft or Apple account will always need a password because it’s the last line of defence and if your phone is stolen or your house burns down you won’t have a second factor.

Is that right?

I don’t think it’s quite right, no. The underlying tech is quite complex, so can be difficult to wrap your head around, so I’ll try to keep it as simple as I can.

In the background it’s essentially a type of key pair cypher. The service you sign into keeps a public key, your device holds the private key. Your device(s) is and holds the key not your Apple/Google account. Apple and Google will function as key stores (the passkey equivalents of a password manager).

It could certainly be used for authenticating your Apple or Google accounts too. I’m not sure about Google, but this is how Apple’s 2FA already kinda works under the hood. Just instead of signing in with a password going forward, you’ll need a device with your private key. I imagine for that reason, the stores will probably always run on a 2FA backup incase you completely lose your private keys somehow. Or there could be a solution for that, I’ve not actually read that much into all the under the hood stuff yet.

But it’s your device that is the private the key. Apple/Google are just doing the syncing. You don’t wanna lose your device and lose your key. Other services such as 1Password, and your typical password managers will run the same sort of thing I imagine. 1Password are already working on it:

They probably do a much better job of explaining than I could too.

2 Likes

Thank you.

What I don’t understand is this scenario:

How are things resolved then? Or do you lose your digital life?

(A side thought: most phones require a password before they activate biometrics etc, and often fall back to passwords from time-to-time for no real reason. I wonder how that’ll evolve in the future).

3 Likes

I think the question was though, if you lose your device, what’s the fallback?

2 Likes

I actually answered that in a final paragraph then opted to delete because I thought I already covered it!

I imagine in this case, the key stores will fall back to your standard multi-factor authentication, which would include a password.

There might also be something in the spec for this scenario too, but it’s not something I’ve read a great deal of just yet.

I can look into it though, and get back to you with an answer.

It might just be the age old same situation of what happens if you lose all your factors meaning you lose your account.

But overtime a solution has been developed for that which is built on trust. I suspect you may be able to designate someone you trust as a way to authenticate back into your key store and regain your keys that way. Just like a close friend or family member can authenticate your Apple sign ins if you can’t.

3 Likes

Thank you!

I think we might be violently agreeing. This is what I had in mind when I wrote this:

I’ve been meaning to check it out on Google, actually. I do think it’s a good idea, I’m just mildly nervous about the edge cases (I’ve been thinking about getting a Yubikey in case that mitigates it a bit).

I very much hope that Monzo offers this soon - it’s the sort of thing that they could implement pretty easily compared to legacy banks and would be progressive and kinda cool.

3 Likes

Yep, it does look like a 2FA fallback is used for that rare scenario:

And my recovery assumption seems to be correct here too.

It’s probably the best compromise for now. It’s either this or no recovery at all, and that still beats a simple password in terms of security. I’m happy to have an inconvenient but secure fallback given how rarely folks would need it.

According to 1Password though, there is nothing in the spec for recovery. It’s down to the vendor, and this is just what Apple are doing as a vendor. Google (and other key stores) might deploy something similar, or different, or nothing (they’re recommended to offer something) at all.

2 Likes

I’ve heard that to where the magic link emails, go into spam

When I was resetting up my iPhone, I was thinking where the hell is my email for Monzo, because you don’t get notifications for emails, not in your inbox, I didn’t see it

1 Like

That’s correct, passkeys do not replace 2FA at least not on a Google account. I can still get in via my Yubico key or using my password plus a verification text

2 Likes

Have you ever tried registering a new device on your NatWest account? It makes you go through customer account number screen, pin number screen, password screen

God forbid I move to Bitwarden for just a second to grab my customer account number, or remind myself of my password, if you do that they make you start again, the entire process of re-registering the device

2 Likes

Let me introduce you to a digital bank, called Monzo…

1 Like

I do use Monzo as a main account however, NatWest is used as basically a transport account for me

If I have cash, I need to put in and I’m not near a post office, but I am there a bank branch of NatWest. I take it to the cash machine inside the branch

Then again, it’s very rare that I had to carry cash

That was a bit off topic, however, passkeys would be a great example of the setup process being simplified for setting up a Natwest on a new mobile

1 Like

I created a passkey for my Google account on my Mac and it appears to have stored the private key in my iCloud Keychain, so it works on my iPhone and iPad, too.

2 Likes

Was initially going to post this here before I found the right, but it’s relevant to the discussion here too:

2 Likes