Magic Login Links are incredibly insecure


(Sarcasm is the finest form of wit.) #121

It would be great. For you.

I already trust and use Monzo :slight_smile:


((╯°□°)╯︵ ┻━┻) #122

If they get past the 2FA on my email account, crack the impossible password then steal my phone, then crack the password on that, then steal my fingerprint.

All without me locking out access to either my email, my phone or freezing my card.

Not an edge case? :roll_eyes:


(Jordan) #123

They’d have to steal my face for mine to go anywhere - Batman’s Killing Joke springs to mind :thinking::thinking:


(Sarcasm is the finest form of wit.) #124

OMG Have you never seen FaceOff? It’s possible! Bagsy my face is Nic Cage!


#125

It would be great. For you.

And indeed for anyone who might get their email address hacked in the future, and then suffers the pain of their financial data being sold. If it happens to just one customer, that’s one too many when it’s such an obvious fix.

If they get past the 2FA on my email account, crack the impossible password

Fantastic! :relaxed: You’re obviously a supporter of 2FA, and set strong passwords! (So long as it’s not 2FA backed by SMS mind?) Not everyone does though, as @gmclean said earlier, many people use crap passwords re-used everywhere. If it’s important for your email to have MFA, why not have Monzo do some basic MFA on sign-in too? Would that really hurt?


(Chris) #126

It’s not about trusting Monzo, it’s about trusting your email provider.

My email account is with Google, and it’s secured with an autogenerated password stored in a password manager, and 2FA. But Google still has access to the contents of my emails, so even with all the possible security in place, I can’t guarantee the privacy of my email account.


#127

Would only be on sign-in, could be as rudimentary as confirming your pin (though ideally something better), and wouldn’t affect anyone in their day-to-day usage of the application.

But straight away, your financial information is protected if your email account is breached, in whatever form.

Perhaps I’m missing something obvious, in which case my apologies - but why would you object to more security, when it’d affect you so rarely?


((╯°□°)╯︵ ┻━┻) #128

I don’t think anyone is objecting to it, they’re just saying it is in no way as big of a deal as you’re making it out to be.


(Joe) #129

I’d object to it. I hate apps asking for a password when I open them up, if Monzo did it I would be very unhappy. I have security on my phone, I have security on my email, I do not want to have to put in additional passwords for opening individual apps. I tried Dozens and that asks for a password on open, it’s annoying and makes you not want to open the app regularly, which is important for banking apps IMO.


#130

@ordog I think that’s maybe where we disagree then.

I’m of the belief that if just one customer has unauthorised access to their information using this route, then that’s a very big deal. If we knew of a vulnerability on our work platform, that could possibly allow access to just one customers information, we wouldn’t ignore it as it’s only one customer. It’d be lower priority than a major security issue of course, but it’d be higher priority than new features!

@joedmitchell - it wouldn’t be every time you open the app, only on initial sign-in, and only a second factor of some unknown kind (Pin/Card Number etc) before displaying your financial information.


(Marcel Ruhf) #131

It would only be used to sign into a new device though, not when opening the app after the fact, for which it already has fingerprint authentication.


(Jordan) #132

But doesn’t the App requiring my Face ID do this already? I’m not sure on the data but I think it would be MUCH harder to spoof my face than a PIN/Password?


#133

@JustJordds no unfortunately not. :disappointed_relieved: That only protects you after you’ve logged in (for example if you loose your phone).

It doesn’t prevent someone else from logging into your account on their own phone by having access to your email.

E.g. when you first login to Monzo on a device, Apple/Monzo don’t request your previous Face ID.


(Nick) #134

It’s a balance. Security versus friction.

Make things too secure, and people will either (1) not use the thing, or (b) find a work-around that negates any security gain.

I have an N26 account as well as a Monzo account. I no longer use my N26 account, in part because of the extra friction in accessing it. Having to enter a password every time I opened it was a pain. Being able to set a lock pattern was better, but that expired after I think 60 days, so was back to being functionally useless for me again.

For me, it comes down to the fact that I trust my phone security, and I trust my email security, so adding security to anything past that point is only adding friction to the experience for me, not any useful further security.


(Brexit Day Is Gonna Be Shamayzing.) #135


((╯°□°)╯︵ ┻━┻) #136

That’s fine we can disagree :slight_smile:

To avoid repeating what the majority of other people have said in this topic since July last year, we can leave this here :end:


#137

@holdencarver

Having to enter a password every time I opened it was a pain.

This I do very much agree on. I use Face/Touch ID for this and find it’s acceptable level of compromise.

To clarify - not suggesting a password/MFA everytime you open the app. Only on initial login, the first time you set it up on a device, there should be a second factor, of some kind.

@ordog

We can leave this here

Unfortunately, security is an ever evolving subject. I don’t feel it’s acceptable to just “leave it here” simply because it was discussed before last year. If you don’t wish to discuss it again, please don’t feel obliged. :relaxed:


(Jordan) #138

Okay, taking that on board (I’ve not as yet lost my phone so this hasn’t been a problem) as a “middle ground” could something akin to Google’s “you recently signed in on X device” not work rather than a change in the security flow?


#139

something akin to Google’s “you recently signed in on X device”

Yea that would be a big help / get my vote too! :relaxed:


((╯°□°)╯︵ ┻━┻) #140

That’s what I meant.

If my comments and all those from everyone else can’t convince you otherwise, then we’re at a lost cause. It’s perfectly fine to have a different opinion because if we all thought the same then the world would be a very boring place :slight_smile:

On that note, I’m out. * mic drop * :sunglasses: