The app already has this. I don’t think anyone has any problem with that. I certainly don’t. Whereas the new Strong Customer Authentication flow, as described, will be randomly asking the user to confirm they are still the user. I can’t see how that adds extra security to that already there, only friction 
1 Like
- Enter your PIN when you log into Monzo on a new device
I’ve wanted something like this for a while. It’s unobtrusive, makes sense and provides genuine security. Email notifications and push notifications of new device logins would be great, too.
- Prove your identity regularly in the app by entering your PIN, using Face ID or Touch ID on an iPhone, or your fingerprint on Android
I feel like this already exists where it’s needed, but it’s not a lot of friction - especially with biometrics. I imagine there will be a lot more 3D secure type prompts when buying things.
- Regularly confirm that you want to keep using other apps with Monzo
I like this idea too. Google often prompt you to review your security, privacy and connected apps.
Will be interesting to see how this will actually be implemented in the next blog.
7 Likes
The law is quite clear here (well, as clear as legal text can be 
); it has to be at least every 90 days 
- For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following condition is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time;
(b) more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.
11 Likes
I know you’re joking around but I don’t think this is what anyone on the magic link thread wanted.
I love that I can just Launch Monzo as early as Mail or Safari. The issue with magic links is that they are an insecure way it initially log in to a device for the first time. I want the option to log in with a password on first install but after that I never want see another prompt.
To me this reads like EXACTLY what everyone on that thread wanted. More secure authentication when installing the app on a new device! And then sounds like it’ll just ask again every 90 days or so 
not the end of the world with that time frame.
3 Likes
I’m fairly vocal about all the things that I think Monzo get wrong but despite the criticism I’m still “#FullMonzo“ because there are (just about) enough redeeming features for me.
If logging in without security is really the only advantage that Monzo has over Starling then I’m fairly sure they should just shut up shop and move on right now.
1 Like
In the article it states that these changes will cover that too.
Yeah I saw that bit.
I can only speak for myself, but I want to enter a strong unique password on first login, not a 4 digit pin.
And after that I’m done. I don’t want any further authentication for launching.
So this doesn’t solve my issue and is worse for general usage too
I give up… 
10 Likes
90 days to provide authentication again is fine with me!
4 Likes
Yeah, that’s not too terrible. And I do hope that using your PIN to make a transfer, for example, resets that timer, so very few people will actually be forced to re-authenticate.
6 Likes
I thought that would be they way too but I think the text above makes clear that it has to challenge access to any information and not just to authenticate certain information/transactions. So simply seeing your transactions etc would need to have a pin or print etc.
Nooo don’t give up - they can just change their usage 
1 Like
What sort of challenge have you experienced with Google Pay? I don’t use it particularly often but am planning to use it more.
What commonly-misinterpreted financial reg does that concern?
you know exactly what we are saying, c’mon.
Monzo just has a decent track record of not overdoing it and actually thinking about usability when implementing security features (see login, 3DS, making payments).
4 Likes
Sorry. I genuinely really really don’t.
I asked a specific question related to this topic with particular reference to interpretation of regulation (e.g. GDPR, POE, PEP KYC). It’s as much about misinterpretation as tending toward “overdoing it”.
With respect, the things you have mentioned are not relevant. 3D Secure isn’t a response to regulation in the same way.
Monzo’s prior form regarding login and 3D secure tells me nothing about this which is why I’m asking.
What Alexs and Myself have been talking about here is general track record in not ‘overdoing it’. This is the part of your comment he quoted when replying and this is what we are saying. You can bang on about actual laws and regulations but we are just generally talking about not overdoing it in security, and I think it is perfectly fine and reasonable to extrapolate this into this new regulation.
2 Likes
Please refer specifically to what I wrote in my first post.