Not every provider gives you the option. It’s unreasonable to expect someone to ditch an email they’ve used their whole lives or change provider in such a case too.
It’s also not always the best idea to have 2FA on your email account. Some people might not want it, yet still wouldn’t want the lack of that on their email to compromise the security of their other more sensitive accounts, which is fine because it doesn’t have to.
It’s absurd to assess the security of your processes on the assumption that everyone is following best security practices everywhere else. Your systems need to be designed on the predication they are not. You shouldn’t be relying on this at all.
To emphasise the absurdity, no bank would trust I’m me on the basis that I’m emailing them from my email, with the headers validating no spoofing of any kind. Even though I have 2FA on. My email provider knows it’s me, my bank does not. Yet that’s the same level of trust Monzo are placing in it when it comes to logging in.
I’m baffled that folks are shutting down ideas of optional extra security because they don’t want it, instead suggesting those security enhancements be applied elsewhere where that user may not otherwise want or need them. It’s actually more arduous for users, and it’s a shift of liability from the service provider onto third parties, and even the user. No thank you.
Of course it is. If the security of authentication for your device is enough to undermine the security of your bank account, then your bank has a big problem in my book.
No one’s asking for that. But even if we were, this is how that looks when you flip the context of liability.
You could apply the same logic to device security too. Whatever security measure you’re imagining Monzo would need to deploy here to counteract poor device security are the exact same ones, and in turn, the exact same issues that would arise from one attempting to keep their device secure enough.
What’s being asked for by folks is the choice to enhance their individual app or account security if they want to. This does a few things. It adds freedom and control over how secure your account is. Multi-factor doesn’t necessarily mean hard to remember passwords. And of course no one has to use it. The freedom widens the scope of entropy, meaning the existence of the choice of greater security alone improves security for everyone without changing anything, when done right.
To reiterate what I’d like to see from Monzo. Proper 2FA on logins that doesn’t rely on the integrity of a third party service as a factorthatsnotreallyafactor. Keep the current magic two step setup if you have to, but give me an option to authenticate with something I have as well, like an authenticator app on my phone. The fallback for Face ID being something separate to my device passcode. Honestly, even just changing where you ask for the card pin would improve things here. Use that as the fallback. The ability to override biometrics removes a factor of authentication, effectively making access single-step (the same something you know used twice). Granted there’s still a second step to action stuff, that doesn’t safeguard against the massive privacy violation of someone gaining read-only access to my account.