The law is quite clear here (well, as clear as legal text can be ); it has to be at least every 90 days
For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following condition is met:
(a) the payment service user is accessing online the information specified in paragraph 1 for the first time;
(b) more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.
I know you’re joking around but I don’t think this is what anyone on the magic link thread wanted.
I love that I can just Launch Monzo as early as Mail or Safari. The issue with magic links is that they are an insecure way it initially log in to a device for the first time. I want the option to log in with a password on first install but after that I never want see another prompt.
To me this reads like EXACTLY what everyone on that thread wanted. More secure authentication when installing the app on a new device! And then sounds like it’ll just ask again every 90 days or so not the end of the world with that time frame.
I’m fairly vocal about all the things that I think Monzo get wrong but despite the criticism I’m still “#FullMonzo“ because there are (just about) enough redeeming features for me.
If logging in without security is really the only advantage that Monzo has over Starling then I’m fairly sure they should just shut up shop and move on right now.
Yeah, that’s not too terrible. And I do hope that using your PIN to make a transfer, for example, resets that timer, so very few people will actually be forced to re-authenticate.
I thought that would be they way too but I think the text above makes clear that it has to challenge access to any information and not just to authenticate certain information/transactions. So simply seeing your transactions etc would need to have a pin or print etc.
Monzo just has a decent track record of not overdoing it and actually thinking about usability when implementing security features (see login, 3DS, making payments).
I asked a specific question related to this topic with particular reference to interpretation of regulation (e.g. GDPR, POE, PEP KYC). It’s as much about misinterpretation as tending toward “overdoing it”.
With respect, the things you have mentioned are not relevant. 3D Secure isn’t a response to regulation in the same way.
Monzo’s prior form regarding login and 3D secure tells me nothing about this which is why I’m asking.
What Alexs and Myself have been talking about here is general track record in not ‘overdoing it’. This is the part of your comment he quoted when replying and this is what we are saying. You can bang on about actual laws and regulations but we are just generally talking about not overdoing it in security, and I think it is perfectly fine and reasonable to extrapolate this into this new regulation.
Things that it seems others will be concerned about are Article 11(b):
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met: the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
I’m concerned with the bits that are widely open to interpretation as it gives a lot of leeway. e.g. Article 2(2):
typical of the payment service user
and
abnormal use of the access device or the software
Also in Article 18(2):
abnormal location of the payer;
high-risk location of the payee.
Many of the issues can be effectively overcome with an appropriate interpretation of Article 18(3):
the previous spending patterns of the individual payment service user
This section is also key to variable implementation:
Where, on the basis of the real-time transaction risk analysis, a payment cannot be qualified as posing a low level of risk, the payment service provider should revert to strong customer authentication. The maximum value of such risk-based exemption should be set in a manner ensuring a very low corresponding fraud rate, also by comparison to the fraud rates of all the payment transactions of the payment service provider, including those authenticated through strong customer authentication, within a certain period of time and on a rolling basis.
There can (and will) be a lot of variation in how these terms are used in practice (not equivalent of the exemption threshold value table in the annex).
This is specifically why I asked about prior examples of interpreting legislation and why it would be helpful to hear Monzo’s proposal in more detail regarding terms such as this in the instrument @Roxy
); it has to be at least every 90 days 
not the end of the world with that time frame.
you know exactly what we are saying, c’mon.
so best to just sit tight and wait for that.