Magic login links, insecure?

So theoretically speaking a banking company should be secure by nature.

Say my email gets hacked, or social engineered, etc etc.

It would take 10 seconds to search for “Monzo” in my email app and deduce that I do in fact use Monzo.

Now they would only need to download the app, and enter my email address, generate a magic link and they have full access to my bank account.

What was wrong with passwords, or 2FA, or even passwords and then Magic links to verify. Magic links are not secure on their own and incredibly dangerous.


How does your email get hacked if you have 2FA on it?


Not mine, but I know plenty who don’t use 2FA.

A banking company should not assume that everyone uses 2FA on their email, but should definitely enforce it on their banking app.


I couldn’t agree less


Agree with @DaveTMG. No point having 2FA on every service if I can simply have it on my email, which stores all my accounts.

This whole “memorable word” and “2FA” for banks is just a security theatre. If someone has a capability to hack you, these won’t save you.


I want my banking app to learn how I use it then query me for further verification if it doesn’t seem like it’s me.

I don’t want any security theatre.


Note that they would also need your PIN if they want to do anything with your money.

Edit: Not to excuse that they might be able to get in there and see what you’ve been spending on, what other services you use (although that would probably be already clear from email), or glean more info to break/engineer into other services.


I just want options, clearly y some of you are in favour of magic links, and some aren’t.

Give me the option to secure my data and finances as I sit fit.


Whilst I don’t feel that the login links are “incredibly insecure” I do agree that an email link alone should not verify a login to your bank. Sure, I also have MFA on my email, however, there are going to be a large number of people out there who do not, especially with percentage of market share that Monzo are aiming for.

I feel they should offer various forms of MFA for your account. e.g text message/one time password/other etc.


Magic links are incredibly convenient and I dont feel its the method that is insecure, rather the destination that could be insecure. At the end of the day, it is the user’s responsibility to keep their accounts safe and secure.

However, perhaps this is where Monzo could step in from a social aspect and educate new customers about online security, email 2FA etc.

Your point is a valid one, but I feel that moving forward companies should work to educate users rather than design around naivety. Barclays is an example of this. They have run many campaigns on TV and billboards around Online Security and keeping your information safe :clap:t3:


Perhaps Monzo could tell us how many accounts have been hacked through magic links? I doubt it is many.

1 Like

I think it’s probably more important for Monzo to teach users about 2FA on their email accounts. Ultimately email companies should be enforcing it as standard. If someone gets into your email they can get into a lot of things!
It’s surprisingly easy to reset a Lloyds online banking password with details that aren’t that difficult to get.


To add it’s also important to remeber the worst they can do is view your feed etc. No money can leave your account without Touch ID or your pin being entered.


I assume most have email on their phones, if your phone is taken in a street mugging whilst you had it unlocked (not uncommon in London)… I’m pretty sure that you wouldn’t need any extra authentication to get into your mail app.

Either way, it’s not he security I want on my finances.


The obvious response is to use another bank that gives you what you want? FD have incredibly stupid amounts of security on theirs.


I never use my phone in the street when I’m in a city. Too risky

1 Like

I have to admit your replies are incredibly blunt and standoffish.

I’m asking for options to cater to the different people who want to use Monzo.

You seem to have a one size fits all approach, which I really don’t agree with.


I understand why its currently not the default. Having worked at a fruit stand tech support, I have seen many people enable 2FA and then get locked out because they didnt understand what it meant and what they were doing. Emails are vital to a lot of people, as its the main form of account recovery for most online services and accounts. If you lock yourself out of your email, you are in for a tough time!

But you are asking for something based on no evidence whatsoever. That’s security theatre and I don’t need that kind of friction in my life.

You have stated ‘Magic login links are incredibly insecure’ - they are only as insecure as the person using them. I don’t want every provider to be legislating for stupidity.


What evidence do you want? Banks should have a proactive rather than reactive response.

I’m pretty bored of this now.