Apologies if someone suggested this already, but can someone explain what would be bad about the app requiring the magic link then your PIN to log you in? Seems like a simple way to improve this a lot without hoop jumping or having to remember more passwords.
I know it’s already required if you want to move money around, but simply being able to see someone’s transactions can tell you a lot about them that they might want to keep private (“oh look they went to a gay bar at 2am”).
If you then think about abusive partners/exes, who have a decent probability of having access to their email to begin with, Monzo’s awesome instant transaction notifications become a scary tool they could use to literally track them (“the [abusive expletive] is at a cafe, let’s pay her a visit…” etc). Yes the customer would be logged out, but it’s not like the app explains why that happens (I got logged out a few days ago and have no idea why), and the magic link makes it so easy to log back in I could imagine someone not thinking much about it.