I guess I’ve always thought it was a bit too discreet I guess. It’s a single line of text and a very subdued emoticon.
Particularly if it’s the first time I’m being asked to use 3DS from a new merchant I often miss it to tap it before disappears. I know it’s very first world problem and it might just be me.
Personally I wouldn’t mind if the Monzo app just automatically opened when 3DS authentication was required and redirected after.
Maybe the notification just looks odd because I’m used to them having headers and actionable items?
Unfortunately there is no simple way to redirect you automatically to the Monzo app, without you explicitly clicking on the notification.
The 3DS flow actually increases the chances of customers abandoning the purchase altogether. Because it’s a bit inconvenient. Just like everything with security.
That’s why merchants don’t really like 3DS. But as of next year, everyone will need to be on it.
But regulations will remain as they are until both the end of the transition period (the end of 2020 as it stands) and action by the UK government to repeal or change them.
It’s part of PSD2.
Together with the whole contactless limits/authentication, it means that if someone steals your card, there will be very little they can do!
Good times to come. (at the cost of slight inconvenience)
Instead of redirecting, it would be intuitive if the notification was actionable without needing to open the Monzo app.
For example, my organisation use Okta Verify. I don’t need to open the app to authenticate, I can just pull down on the notification and click ‘Approve’, ‘Deny’ or ‘Open’ without removing focus from the browser challenge. The notification already has details of where I’m logging in from (it would be the merchant and amount in Monzo’s case), so I don’t need open the app to see the same details to just press an approve button.
I’ve just thought… is this not possible because you need to verify your PIN actually?
Microsoft authenticator also works like this, it’s really good.
For phones where access to notifications is behind some authentication, like modern iPhones with Face ID being required to view the content of notifications by default, it could work, but the problem is that not all phones consistently behave this way so Monzo can’t assume it. Therefore, they must require extra authentication.
You need to enter your pin.
As part of the regulation we need at least two layers of authentication.
We rely on possession (ie. acces to your phone) and knowledge (knowing your pin)/inherence (ie. something that is unique about your body, such as Face ID).
That’s also why we will need to decomission SMS one-time passwords, as they only rely on posession.
This is why it’s annoying that there is no way for the Monzo app to somehow detect that it’s installed on an appropriately configured phone with Face ID required for notifications, as an interactive notification could then fulfil the two-factor requirement of 1) possession - the authenticated phone logged in to the Monzo app + 2) inheritance, where Face ID has been used to prove identify as, by definition, it wouldn’t otherwise be possible to press Accept on the notification if the phone required Face ID to view notifications.
I think this is possible? I cant install work apps on my personal phone unless I have a secure lock on my phone. It detects this when I try to install them
The only annoying thing with having to remove SMS is that currently some apps when making a payment cancel out that transaction when you move away from the screen to open Monzo to verify the payment. I have used SMS in the past to get around this, hopefully those apps will be updated to not follow the behaviour. I can’t remember what app it was either as I’ve not come across it since, either because I’ve moved off whatever app it was or I’ve set up a different payment option
We’ve actually been in touch with one of these apps to get it resolved from their end. Unfortunately there isn’t much we can do, and they will soon have problems with all other banks, not just us
This page is actually rendered using React, so the library automatically escapes script characters.
I’m still having a look to see if there are any merchants out there trying anything funny
