We’ve upgraded to the new version of 3D Secure. Backend engineer Arthur explains how we did it:
Very good, keep it up! Hope to hear more stuff about Monzo plus and pot hiding and sorting for iOS as well
The Monzo pop-up window now has native Android and iOS support or as a modal on your web-browser. This will make for better-looking and smoother mobile checkouts.
Is there a pic/screenshot of this?
This will depend on the SDK each merchant is using, as that’ll control the native layout. We do only have control over the contents of it (things like the logos and the actual text displayed), but not over the layout or colours they’re using.
This is different to the web flow, where we do have full control over how it’s displayed.
Great to see this keep up the good work.
Is there any change from a user’s perspective switching from v1 to v2? Or is it all mostly backend changes? I think I read that you’ve removed SMS confirmation, but that’s about it?
v1 still used App Based Verification I believe?
The web flow for 3DS2 feels mostly the same for customers, with the exception of the SMS confirmation which we removed and some tweaks to make it feel snappier.
For in-app native flows the only thing that changes with respect to the web flow is the page requesting that you approve the authentication in your Monzo app, which is now native.
The way you approve the challenges in the app is the same one as before.
The change is mandated from merchants. We can enable 3DS2 for customers, but at the end of the day this is a security measure merchants should be requesting. You can still get challenged with 3DS1 even if 3DS2 is enabled on your account.
Will we be able to approve with Face ID from the triggered iOS notification?
Not yet! But I don’t see why we wouldn’t be able to.
Watch this space
Will this stop me going to Monzo to approve the transaction then the web page I’m on my phone sometimes bugs out and declines or fails the payment… payment ends up getting taken twice as a result sometimes etc.
It would be very cool if this happened. A lot sleeker .
That’s answered here:
Then the Face ID replies directly above yours imply that you possibly won’t need to leave the app you’re purchasing from to approve transactions at some point in the future so less chance of bugging out.
Keep up the hard work Monzo
I have had in app notification fail, where SMS workd. How will this affect me when in-app approval fails due to poor network connectivity on my mobile device, but laptop may be connected.
Think paid hotspot, where mobile device is disconnected from data.
There is something that would be possible with the new 3DS spec, which is: the merchant can hint us that they have already performed some sort of identity check and we can decide to not challenge you on the app.
For example: if you logged in to Amazon via Face ID, Amazon will tell Monzo: “this is very likely the right person”, and Monzo may not bother you with a 3D Secure challenge.
We haven’t got this up yet though
You raise a good point. Unfortunately due to our risk assessment (and Strong Customer Authentication regulations) we can’t rely on SMS going forward.
If someone steals your phone, they can easily pay for an online transaction and make it through 3DS.
Whereas in-app they also need to know your PIN (knowledge + possession)
Understood, but they would also need my phone password and SIM pin.
Short of contacting my carrier to SIM swap which is also protected by a password this would fail…
Though not everyone protects their phone properly. They would need to steal someones card details and Phone.
Perhaps allow SMS + Memorable information?
Very interesting to hear more about 3DS and the move over to v2. I haven’t noticed anything different yet, but what’s the proportion of common sites encountered that are actually upgraded to v2 at the moment?