Enabling FaceID surely makes Monzo less secure, not more?

I received the attached email earlier today. I deliberately do not have FaceID enabled because of the following:

• When FaceID fails it degrades back to your iPhone passcode, ie you can overrule FaceID with a passcode.

• This means that, in the doomsday scenario of someone having access to my phone and the passcode (either by looking over my shoulder when I enter my passcode or, more likely, mugging me and asking me for it, which is fairly common), they can not only access my phone but they can make payments out of Monzo, because they can use the passcode to overrule FaceID.

• But, if you still require use of your PIN, you have a second layer of security.

Am I missing something here? If not, why is Monzo encouraging the use of FaceID when you could argue it makes your account less secure? Or are these communications actually coming from the product side of the business, which presumably is more interested in faster payments (typing in your PIN is a pain!), rather than account security?

Screenshot 2023-10-06 at 16.50.281272×1166 93.8 KB

You can’t make payments with phone PIN, only with FaceID or Monzo PIN, so no, someone having your phone PIN does not let them empty your account.

FaceID is more secure because it stops people getting your PIN (either of them) by shoulder surfing.

If you’re watching someone enter their PIN multiple times, the odds are good that you can work out what it is.

If all the bad actor sees is you looking into the camera, that’s no help to them at all.

Thanks. But if FaceID fails, doesn’t it then ask you for your phone passcode? Or are you saying that in Monzo, if FaceID fails it requires your Monzo PIN, and doesn’t allow the use of your phone passcode?

If FaceID fails then someone would still need your Monzo card PIN to make any transfers.

FaceID is pretty hard to fool, it’s certainly one of the better biometric lock tools on phones.