I notice on the iOS version of the Monzo app that Touch ID is optional, so if switched off by the user, the app has no authentication. Will this have to change to be PSD2 compliant? Even with fingerprint auth this is still only 1-factor authentication and PSD2 mandates two factor.
In contrast my firstdirect banking app has fingerprint auth plus phone registration - I need to have my phone and my fingerprint to login, and so appears to be two-factor and seemingly PSD2 compliant.
Yes device registration would be a second factor, but I canât remember whether or not I had to register my device when I signed up. If so, then Monzo would appear to be compliant except when TouchID is disabled by the user? I guess itâs the optional piece thatâs confusing me.
Thatâs a privacy feature, as opposed to a security feature - youâre required to complete additional verification e.g. enter your cardâs PIN or CVV before you can remove money from the account.
But the phone itself is only one âelementâ, under PSD2 the customer has to be authenticated using 2 elements at least every 90 days before seeing their account information not sure how they will do this without making pin/biometric mandatoryâŚ
Or your email from which they can take over all your accounts by doing a password reset. Plus they even have your phone number to answer any security challenges or get 2FA texts.
So, I use Airmail on iOS which can let me require TouchID or a PIN.
My 2fa is also behind a PIN.
My old texts are on rolling delete. And I browse the web through my password manager anyway.
Most of the apps that doesnât require something extra are games on my phone.
I used to be an app developer people borrowed my phone all the time.
Thereâs information on the home screen of monzo I wouldnât want some people knowing, salary, over draft state, I might need to buy stuff for private medical thingsâŚ
I mean if youâre happy to type & remember PINs all over the place itâs your call. I would consider that extremely paranoid (and I consider myself paranoid but this is a whole new level IMO).
But my argument is that we should let people decide for themselves what kind of security they want, and not perpetuate the myths of bullshit legacy-bank-grade security theatre (itâs even counter-productive because it gives a false sense of security; Iâve seen idiots installing all kinds of malware and saying âbut my bank had a PIN so itâs secure, right?â).
If people still decide to enable fingerprint/PIN after this then itâs their choice, but it needs to be an informed decision, not âwell every other shit bank does it so I must do it right?â, and it should be made clear that protection on the app is not a silver bullet and youâre still vulnerable if your device is compromised.
I used to be an app developer people borrowed my phone all the time.
Maybe youâre trying to use the wrong tool for the job and expect everyone to conform to your use-case? Youâre using a single-user operating system as a multi-user one⌠no wonder not all apps support (nor plan to support) this by offering in-app PINs & whatnot. Not to mention, at the end of the day, this is still a fairly narrow use-case and not everyone (maybe less than 1%) of Monzoâs user-base routinely give away their phone as a test device to debug apps on.
I use Airmail on iOS
Unrelated, but check it against email privacy tester and enjoy the carnage. Last time I checked it was vulnerable to Javascript execution inside emails.
The rules for PSD2 arenât optional though so any bank with a current account will have to comply and they say that to access your full account information (i.e. more than just a balance and recent transaction history) then they have to 2FA the customer. So monzo will surely have to put some form of 2FA in place somewhere either when opening the app or when going further than a very basic first page?
I remember something about android users being able to activate their cards using NFC. Would this be valid as a form of 2FA, having the card and phone alongside each other?