So the app logged me out this morning, not sure why, so I logged back in via the email sent to me and this is when i noticed the Touch ID security feature to enter the app was switched off. I have always kept this switched on previously.
I turned Touch ID back on, closed the app and tested this again. When prompted to unlock Monzo using touch ID, i pressed cancel, and then log out. I then had to log back in via the email method, and again the touch ID had been switched off.
Therefore just to make the Monzo security team aware, this Touch ID security layer to unlock the app can be fairly easily bypassed: if someone had access to your phone unlocked (i realise this is unlikely, but can happen), and is able to obtain your relevant email address (which is fairly easy by searching the phone’s mail settings).
Touch ID for payments being disabled is expected. That falls back to requiring the card PIN or identity verification through support to perform those tasks. It’s similar on a technical level to how your phone requires the full password/passcode to unlock the first time after reboot.
As for Touch ID to unlock the app… that’s one of many issues with this feature. As it stands, the app unlock feature is only suitable as a basic privacy barrier.
Another point just worth mentioning - apologies if its already been mentioned - I found another scenario where you can bypass the touch ID privacy layer
Found on iOS 10.2.1 - iPhone 6s
Send money to a contact
Sleep your phone at the screen that asks to select a category
Reopen the app and the touch ID modal will show with your the previous screen visible behind
Click cancel - you can now interact with the whole app
As mentioned this is only a privacy issue and you’re still required to authenticate with touch ID when sending payments but thought it was worth raising