The merchant adoption is fairly low for now… But Mastercard is pressuring quite a bit - so by the same time next year hopefully you should expect everyone(ish) to be on it.
Mastercard has a decommission plan for v1, so they will have to move away at some point
Easiest way to tell is clicking on the “stripe validation” link on the blog and seeing if you can get a transaction into 3DS.
If the transaction goes through, it is reverted 7 days later.
Between people who don’t PIN-protect their phone, and people who do but allow SMS messages to be seen on the lock screen, I can understand why Monzo can’t trust SMS as a whole even if there may be cases where the user has fully secured their own SMS - while that may be the case, Monzo have no way of telling which camp you’re in.
3 Likes
While that is true, regulation forces us (or will force us) to provide several methods of authentication.
I’m not the best person to discuss the specifics of this topic, but an SMS on it’s own could be a valid authentication method (likely possession), however we still need an additional one (either knowledge or inherence) to comply with the SCA rules.
This is likely why some banks use an SMS + some form of password or biometrics.
When you authenticate in the Monzo app we use a combination of authentication methods that is SCA compliant.
I believe SMS is bound to disappear from 3DSv1 as the sole method of authentication in some time when the regulation is put in place, but again, I might not be the best person to discuss the specifics of this.
1 Like
Hi,
So my concern about removing SMS going forward is I’ve had issues recently with paying my credit card bill in the Credit card app trying to authenticate through the monzo app.
The issue is that because you have to leave the credit card app to get into the monzo app to authenticate, when you go back to the credit card app to continue, it’s reset the connection and you have to start again.
Ok - this isn’t specifically Monzo’s fault that the credit card company haven’t programmed their app properly to deal with this situation, but at the end of the day that doesn’t solve the issue that I’m left not being able to pay my bill because the two apps don’t work together.
It’s been 3 months since I last tried to pay and authenticate through the app - since then I’ve used the sms code so it might have been fixed (it’s a Capital One card btw if anyone else has one of those and has it working for them).
On the point of maybe letting the ‘seller’ app complete FaceID/Biometrics in that app and so Monzo letting it go through - that wouldn’t really work because there’s no specific link between the the person on that account with the seller and the monzo bank account. Anyone could get my bank card, go to their Amazon account (for example) and use my card. As Amazon has authenticated that the account holder with them is the right person, that doesn’t mean that that person is authorised to use my account.
Would an option be to let us in the app ‘pre-approve’ certain merchants (maybe with a monthly cap) so I could go into my account and pre-approve Capital One so there’s no further challenges needed.
1 Like
Thanks for the feedback! And your suggestion at the end is a really good one, something we can explore in the future. We know mastercard is looking into adding similar functionality to what you described at the end, but I don’t think any parties are quite ready yet to have this implemented at the moment.
We are also aware of issues paying some credit cards, and as you said SMS is currently the only usable fallback we have. We’ve been recently in touch to get these companies to fix this issue on their side, which would be the ideal outcome, but this is a long process and won’t always be easy to get it sorted. Props to @arthur-ceccotti who’s been recently dealing with some of these to get it fixed on their apps!
We’ll keep an eye out for this issue.
4 Likes
Would it be possible to approve payments through the Apple Watch notification? I’m extremely lazy and it’s a shame to have to go get my phone off the charger next door when I was alerted to the check on my watch.
I suppose Monzo would like to be sure that it is actually me accepting on the watch and maybe that’s the issue.
Can’t you just buy your own charger instead of using next doors? 
#sorrynotsorry
6 Likes
I suppose Monzo would like to be sure that it is actually me accepting on the watch and maybe that’s the issue.
Precisely. We cannot just rely on push notification actions for this (which is what powers the Apple Watch notification actions), which is why we all need to open the app.
1 Like
Do the notifications on the watch have to be the same as the ones on the phone? As the watch requires me to unlock it when I put it on (by code or unlocking my phone) isn’t that the same level of security that the monzo app has?
The watch does lock itself when removed too.
1 Like
I suspect the answer lies in the timing. The Monzo app wants to see a confirmatory action ‘now’ and in response to the 3DS prompt. It doesn’t allow you to rely on something you did hours ago when you turned the phone on.
Hmm, I guess, seems a shame seeing as we can be pretty sure the person wearing the watch is the person who unlocked it, even if it was hours ago.
As I understand it the Apple Watch notifications just mirror the iOS ones, so any actions you see in your watch are exactly the same ones you can get if you force touch the notification (or maybe long press in more recent versions of iOS). These are actions you can take in iOS without opening an app.
As far as I know we cannot provide more customisation in the Apple Watch notifications since we haven’t really developed anything Apple Watch specific. Everything you can see is a byproduct of the Apple Watch mirroring what we already do on your iPhone. This is likely the same on Android.
We require everyone to approve these challenges in the Monzo app due to various authentication methods we can only run while the app is open. It is unfortunate, I agree, but there isn’t much we can do here, specially with regards to the SCA regulation.
2 Likes
Is there any way to enable the authentication for every purchase? Like a ‘paranoid mode’…
No. It’s for the merchant to request. A customer enabling it wouldn’t achieve anything anyway (in terms of liability shift) so there would be absolutely no point.
1 Like
@Feathers on point. That’s exactly it! 
Although as part of SCA (Strong Customer Authentication) regulations, we will have to start declining e-commerce transactions where the merchant never requested 3DS.
This effectively forces merchants to want to ask for 3DS every time. Bare in mind that doesn’t mean you will be challenged every time, as Monzo does it’s own risk assessment and can wave that (and take fraud liability).
1 Like
Hi,
So is there a solution for me paying my credit card?
If sms will no longer be supported how else will I pay the bill?
Can you not pay by bank transfer instead of paying on the credit card app/site?
We’re hoping that by the time we have to remove SMS support from 3DSv1, the credit card providers will have updated their systems to 3DSv2 (which shouldn’t suffer from the same issues as 3DSv1 does with regards to app switching)
If that’s not happened, then we’ll look into alternative possibilities by then
6 Likes
On the rare credit card app that fails to do the payment process correctly I just log in via the website and do it that way instead