Feedback/Ideas around Fingerprint lock


#1

Android user here - there are two things that I feel could be improved around the Fingerprint lock:

1) Timeout for the lock - I used YNAB so sometimes switch between YNAB and Monzo whilst I am logging transactions. It gets a bit cumbersome to keep having to unlock Monzo with the fingerprint, even though I may only have been away from the app for around 10-20 seconds. It would be nice to have the option to set a period of time where the app stays unlocked before requesting a fingerprint again.

2) Backup unlock method - Sometimes I find that the fingerprint sensor on my phone doesn’t work too good if I’ve just have had a shower. I encountered an issue this morning where I wanted to check my account but it took 5-6 attempts. A backup unlock option like some sort of PIN or password would be useful.


(Andre Borie) #2

The backup for Monzo at the moment is to just uninstall/reinstall the app and go through the usual “magic link” login flow.


#3

Same thing after having a bath, washing your kids hair, washing the car, washing up the plates and dishes, going swimming, having a jacuzzi, anything when your hands get wet. Fingertips change when very damp due to changing surface area. I could bore you with all the science behind but that seems logical.


(Marcel Ruhf) #4

Totally agree with #2.
#1 is a bit controversial - others might argue that the 10s timeout is already too long


#5

If there was an option to choose the timeout in the settings then people can pick as they want. You need the card PIN to send payments anyhow.


(Kenneth C Lawrence) #6

I agree here, even my phone lockout lets me pick instant/ 5 seconds/ 10 seconds, etc.

I do find if I am flicking between apps, or accidentally close and reopen within a second, I need to re-verify.

I would support this option.


#7

Agree with this. A slightly longer lockout would be nice but not critical.

Backup entry method would be good but then again my phone already has that for login so it does reduce the overall security posture. Hard call.


(James Ellis) #8

Agree there needs to be backup entry to the app if the fingerprint scanner fails.
Could a pin option be enabled on the unlock screen, e.g. the lock screen would have the fingerprint option as default but include a button which would then allow unlock with pin.


(Tony Hoyle) #9

At the moment the fingerprint lock on android doesn’t mark the activity as secure (FLAG_SECURE).

So all you have to do if you get hold of someone’s phone is to bring up the app switcher, and the monzo screen is perfectly readable…


(Marcel Ruhf) #10

You can disable this by selecting “Hide Monzo from recent apps” in the account settings.


(Andre Borie) #11

If you get ahold of someone’s phone you can leave malware (as easy as opening a malicious APK from the web browser) on it and enjoy full remote access later on anyway.

I wish we would stop giving people false senses of security with in-app PINs and fingerprints and what not. If you give your unlocked device to a malicious person it’s game over, end of story.


(Tony Hoyle) #12

Well yes, but there’s little point in having a fingerprint lock if it can be bypassed by a single button press :stuck_out_tongue:

Might as well remove it, or simply use the feature that’s been in the OS forever.

I’m all in favour of removing all of this stuff but that takes education which isn’t going to happen in a hurry. I’m the first to say ‘treat your phone like your car keys’.


(Marcel Ruhf) #14

Not necessarily.
I use AppLock Pro, which I have set up as a Device Admin app, and it runs as a background service.
I have it set up to lock all apps, even ones I install now will be locked automatically.
Unknown sources are disabled, and it asks you to go to settings allow unknown sources - which is fingerprint/pin-protected. Its either a 10-digit pin, or my fingerprint. And you can’t just uninstall it, since the app is set up as a Device Admin app, so this must first be authorised by removing it as a Device Admin.

Now, I’m not under the illusion that my phone is safe from the sophisticated attackers - but I’ll at least make their lives a misery before they get in :smile:


(Andre Borie) #15

Does this protect against USB debugging?


(Marcel Ruhf) #16

Hmm probably not.
I’ve never tried - my phone didn’t come with a cable to connect to my laptop - just USB-C to USB-C (which I use t charge my phone). Will probably have to try that one when I get the time to look through my cables - there surely is a USB-C to USB connector somewhere, they’re so common nowadays.

That’s disabled by default though - just checked my settings.


(Andre Borie) #17

Yeah, but unless your solution prevents enabling it, a local attacker can just enable USB debugging in settings, connect it to a malicious device and drop the APK from there.


(Marcel Ruhf) #18

Well, settings itself is protected with a pin via AppLock, so unless they know my pin or the app is vulnerable, they won’t / shouldn’t (you never know for sure when it comes to cyber security, I guess) be able to gain access to that area.