Sure, but what does a video thwart that a Live Photo wouldn’t?
There are benefits and drawbacks to both. The each have different attack vectors. Hence multiple factors. They’re not impervious, they just reduce the odds.
I appreciate you have the benefit of insight here though, so perhaps you know something I don’t. I have zero knowledge of what Monzo is doing with these videos internally. It’s the video nature of it that’s always been the theatrical aspect to me.
The key difference is the ability to ask people to say a unique phrase to ensure that it is live - which isn’t an option for a photo.
Clearly a man who’s never seen Face/Off
I mean I’d defend the easily part of my statement, even when faced with Nick Travolta and John Cage.
not gonna give the telegraph my money, but one-click Apple Pay instead of a sign up page is a fun little time saver
I guess the ‘nearly’ part goes to hardware keys, which have become so easy to use it’s a bit baffling banks still aren’t using them. The only barrier is buying one; in the interest of security, surely banks would want to absorb the initial cost and offer one to each customer, if it would save money from customers being phished, vished etc.
Except they’re easy to lose, not something the general public is familiar with and generally considering a bit of a faff.
You always have your face with you!
Does anyone else see Matt Hancock? Or am I really that disturbed?
No, not that stupid thing. A real hardware key (yubikey for example).
That’s excuses that need to go away.
So are passwords, easy to forget, so I’ll write it on a postit note, or use the same one (password123) for every account. You can pander to these excuses, or you can argue back, educating people as to what’s secure. Unfortunately you cannot hide behind a rock and pretend you can still do things the way you used to 20 years ago, people have to learn and adapt.
The stupid card reader thing posted above is a prime example - it’s so much mor inconvenient and cumbersome to use, but some banks went ahead with it and a lot of people now are familiar with it. If you can do it with that abomination, you can do it with hardware keys 
Except people choose their banking on how easy it is - I stopped using NatWest & Barclays partly because the pin sentry was so annoying.
You can’t force people to learn, the face solution for fintech banks is a much easier choice which is very difficult for the average joe to defeat.
I can fully see how the face thing helps reduce the takeover of accounts on Monzo, as a lot of fraud was taking place by people basically logging in to their account after getting into their email account etc.
It’s a quick solution, which closes the gap for everyone. It doesn’t mean that you have to ensure everyone has a security device, which they’ve set up on their account, and they know how to use etc. It’s using simple solutions to solve a widespread issue in Monzo.
Question for you (and @bee in their new role / @N26throwaway / everyone else): just how different is a yubikey to a card reader? They both offer a form of cryptographic certificate, even though the standards will differ, right?
Is the objection more because there’s faff (insert card, press buttons, type pin, mutter incantation) or is there a technical issue?
If that’s the element which makes it more secure, then surely you wouldn’t allow an accessibility bypass?
Has Monzo actually done any of their own peer reviewed research on this to back claims like that up anyway? Would love to read about it if they have.
I’ll share a bit of the differences and then let someone else take this one. I don’t use nor particularly like hardware keys. Probably sounds weird given my field, but I’m all about finding the perfect balance between convenience and security and champion the most secure methods that don’t impact usability or accessibility much if at all. Hardware keys are not that for me (2fa everywhere isn’t either), but I totally get why some folks use them and like them.
Yubikeys are less faff though, and they make a lot of sense in corporate environment. The folks who like them outside of that environment is for to essentially uncouple the second factor authentication (something you have) from the device on which your password is stored. So the thing you have and the thing you know are now separate.
Your bank card readers are cumbersome to use and kinda proprietary. They’ll only work with banks because banks have to do this their own way. The new thing of banks being banks is making you use their own app to authenticate transaction as opposed to your own authenticator like a yubikey. They’re also a bit of a faff. They’re bulkier, need your card and very slow. Yubikey offers the same protection, but is nearly instant as it removes all the manual code entering. Well kinda. Some will argue the bank’s more obtuse method and friction makes theirs more secure. But it’s a tiny gain for a lot of hassle so sits in the security theatrics camp for me.
Theoretically I should be an expert on this because not only did I work in the IAM team at Monzo (who managed passwords, security keys etc for all of Monzo) and now I also work at Duo (who invented a lot of the standards around Yubikeys etc…)
But I don’t know much currently 
I can say, however, that a lot of these “extreme” things banks do to “protect” customers have very small effects. Like Stronger Customer Authentication I believe changed the needle perhaps 0.1% to protecting customers 
Yubikeys are cool for techy people because you can use them for SSH etc. There’s also WebAuthN https://webauthn.io/ which would stop phishing completely using hardware keys (yubikeys) (assuming prime factorisation is not broken How to Share a Secret (Diffie-Hellman-Merkle) )
However, this is assuming that every customer knows not to trust a website unless the yubikey works (I am sure people would probably ignore it)
Security is hard 
100% this. Even more so when you try to make it foolproof, easy, and convenient for all. Worth the hard work when you finally crack something though.
I imagine Apple were pretty happy with their whole setup for users until some bad actor realised if they just spent a day shoulder surfing someone they could just undermine it completely.
Just because you dislike having to do a video/say a phrase, doesn’t mean it’s a bad system.
I’m sure nobody likes it, but your personal reasons for not doing it are not common and clearly it helps prevent fraud.
Haven’t said it is, friend.
