Face ID implementation issue

(Frank) #1

So I was not looking at the phone when logging in so Face ID failed. Which is fine. But then I noticed there is no fall back. My only option is to log out. Was this the same scenario for Touch ID? And is this intentional as there could be many reasons why Face ID or Touch ID could not be used by the genuine account owner.

(Jami Welch) #2

Hey Frank,

Sorry you’re having troubles, thanks for reporting them.

When you say FaceID failed when you were logging in, do you mean opening the app after it’s been closed (but already signed in to), or do you mean after opening a Magic Link from your email?

If you lock the app behind Touch/FaceID, you should see the following screen when they don’t work.

Did you see this screen, just without the ‘Try again’ button?

(Jami Welch) #3

I found the issue, Frank. We’ve added it to our list of bugs to fix. Thanks again for flagging it to us :bowing_man:

(Frank) #4

Hi @Jami,

I think you missed my point. :slightly_smiling_face: Face ID failed correctly as I was not looking at the phone and have attention detection turned on (it detects if you are actually looking at the phone before unlocking even if the face matches correctly).

My concern was more around the scenario where you are not able to use Face ID after you have enabled it (say you are in an accident and your face no longer looks the same). For the phone itself this is simple, you fall back to your pin. But for the Monzo app you do not have a pin to fall back to. Only the option to log out and then start the process again to log in.

So I just wanted to confirm if this is actually the expected and correct behaviour? It seems overkill to have to follow these steps for what is an alternate log in solution as opposed to a replacement solution.

I hope this clarifies things, and if I helped find a bug I didn’t realise existed (you said you found something :grin:) well even better :ok_hand:t2:

(Hugh) #5

Surely the authentication API (which is what Monzo uses to handle touch/face ID) will fallback to device pin?

(Jami Welch) #6

Thanks for the further details, Frank.

The plan is to introduce a device PIN fallback when FaceID isn’t possible.

Security - it doesn't 'feel' secure
(Frank) #7

I am not sure there is any functionality that allows an app to fall back to the device pin? I believe this needs to be handled locally.

(Will) #8

It’s definitely possible - Outlook for iOS has a really good implementation of it. You’re right that most apps (in my experience anyway) just have a local backup pin.

(Frank) #9

Downloading (plus 20 chars)



(Frank) #11

So just tried outlook and yeah the fallback to device pin is pretty good. I guess the downside is if someone knows your device pin they could have access to all apps that implement this way. Plus side is you amend that pin it covers all apps. :thinking: