Magic login links, insecure?

I want my banking app to learn how I use it then query me for further verification if it doesn’t seem like it’s me.

I don’t want any security theatre.


Note that they would also need your PIN if they want to do anything with your money.

Edit: Not to excuse that they might be able to get in there and see what you’ve been spending on, what other services you use (although that would probably be already clear from email), or glean more info to break/engineer into other services.


I just want options, clearly y some of you are in favour of magic links, and some aren’t.

Give me the option to secure my data and finances as I sit fit.


Whilst I don’t feel that the login links are “incredibly insecure” I do agree that an email link alone should not verify a login to your bank. Sure, I also have MFA on my email, however, there are going to be a large number of people out there who do not, especially with percentage of market share that Monzo are aiming for.

I feel they should offer various forms of MFA for your account. e.g text message/one time password/other etc.


Magic links are incredibly convenient and I dont feel its the method that is insecure, rather the destination that could be insecure. At the end of the day, it is the user’s responsibility to keep their accounts safe and secure.

However, perhaps this is where Monzo could step in from a social aspect and educate new customers about online security, email 2FA etc.

Your point is a valid one, but I feel that moving forward companies should work to educate users rather than design around naivety. Barclays is an example of this. They have run many campaigns on TV and billboards around Online Security and keeping your information safe :clap:t3:


Perhaps Monzo could tell us how many accounts have been hacked through magic links? I doubt it is many.

1 Like

I think it’s probably more important for Monzo to teach users about 2FA on their email accounts. Ultimately email companies should be enforcing it as standard. If someone gets into your email they can get into a lot of things!
It’s surprisingly easy to reset a Lloyds online banking password with details that aren’t that difficult to get.


To add it’s also important to remeber the worst they can do is view your feed etc. No money can leave your account without Touch ID or your pin being entered.


I assume most have email on their phones, if your phone is taken in a street mugging whilst you had it unlocked (not uncommon in London)… I’m pretty sure that you wouldn’t need any extra authentication to get into your mail app.

Either way, it’s not he security I want on my finances.


The obvious response is to use another bank that gives you what you want? FD have incredibly stupid amounts of security on theirs.


I never use my phone in the street when I’m in a city. Too risky

1 Like

I have to admit your replies are incredibly blunt and standoffish.

I’m asking for options to cater to the different people who want to use Monzo.

You seem to have a one size fits all approach, which I really don’t agree with.


I understand why its currently not the default. Having worked at a fruit stand tech support, I have seen many people enable 2FA and then get locked out because they didnt understand what it meant and what they were doing. Emails are vital to a lot of people, as its the main form of account recovery for most online services and accounts. If you lock yourself out of your email, you are in for a tough time!

But you are asking for something based on no evidence whatsoever. That’s security theatre and I don’t need that kind of friction in my life.

You have stated ‘Magic login links are incredibly insecure’ - they are only as insecure as the person using them. I don’t want every provider to be legislating for stupidity.


What evidence do you want? Banks should have a proactive rather than reactive response.

I’m pretty bored of this now.


I want evidence that it is a problem - it takes effort that could be spent on other things to add security and it is a waste if it isn’t necessary.

If monzo said 30% of our magic links are used maliciously, then I’d support them changing things. But if it’s a fraction of a percent then why bother?

(And I apologise if I seem blunt, blame the old age)


If the hacker were to get hold of your phone and find your email has no form of security on it, they still would not be able to do anything. Mobile payments and inter-bank transfers all require your Touch ID/ PIN, and they don’t have your card. Furthermore, if by some chance they took your wallet as well Monzo would refund the amount they fleeced you of.

Personally, I like the ease of a magic login link and the fact that I don’t have to have a password to open the app since I already have touch ID/ password on my mobile phone. I have used so many banks that required faffing about with tokens + PIN + password which made it extremely grating to use the app, or when they keep trying to time me out (which I’d imagine would go hand in hand if you want extra privacy options).

How do you propose this should change? Adding a bank token or a OTP via SMS? An additional password in-app?


There was a poll elsewhere on this forum that indicated around 60% of people use 2FA. And that’s 60% of people who use this forum, who arguably are more tech savvy than you’re average person.

That’s still over a third of all people who do not use 2FA who are at risk.

I accept the fact that they all need your PIN to move money etc, but I would still not be happy having my financial history available like that.

As many of you mentioned you’re are happy with Magic Links that is fine, you are entitled to be.

I was merely asking for options, perhaps at sign up whether we would like to use enhanced security with an additional password + magic link.

This is an ideas forum after all.


That it is Luke :slightly_smiling_face:


Monzo are essentially telling you there’s no need for it. You trust Monzo to keep your money safe at their end, why don’t you trust Monzo to keep your money safe at your end?