Monzo for Android - Beta Channel Changelog šŸ•µļøā€ā™‚ļø

Monzo Chat
183

SC95, why do you say the app isnā€™t secure enough? Things that are a significant security risk, like setting up new payments are protected by the card PIN to provide 2FA.

Wouldnā€™t it be a bit silly to then protect that same card PIN by only the app? Iā€™m not saying the OnFido process is brilliant for this, the fingerprint verification on iOS is a much better option here, and I wish theyā€™d gone that route on Android, but stillā€¦ donā€™t take it as a sign the app isnā€™t secure enough. Itā€™s secure enough for its function, but it isnā€™t secure enough to protect the card PIN since the card PIN then, in turn, protects functions requiring more security than the app alone.

I actually consider it very well-designed overall. It uses real security where needed, with none of the ridiculous security theatre most banks have. Great job, Monzo!

184

I have been against extra layers of security and have had a lot of arguments on this here so donā€™t think you got my point. I am saying it feels like Monzo donā€™t feel that App is secure enough hence these long-winded security and identity procedures.

I have found Monzo COps pretty rigid about these even when they donā€™t make sense so bit annoyed with my experiences these days with Monzo a bit.

1 Like
185

Sorry, I was referring more generally to peopleā€™s complaints the app isnā€™t secure enough. But, did you read what I wrote in detail? Basically, the app canā€™t protect the PIN because the PIN is used to protect things the app isnā€™t considered secure enough to protect. This is very reasonable.

Iā€™m not saying OnFido is the right answer, I think they got this balance a lot better on iOSā€¦

1 Like
186

I understand what you said and agree but like you said just donā€™t agree with the whole process they need to speed up Android development I guess itā€™s just is not pretty and necessary.

1 Like
187

I hope this is replaced with Fingerprint verification when itā€™s ready for Android. I hate taking selfies, let alone a selfie video. (Not to mention fingerprint is a lot faster).

1 Like
188

And cheaper for Monzo. I find it amazing they implemented it this way, there must be some concern with the Android biometrics API for them to not only hold it up this long, but to spend time implementing thisā€¦

2 Likes
189

Surely just enabling fingerprint/pin unlock on Android would be much easier?

3 Likes
190

Youā€™d think soā€¦ the API doesnā€™t look that tricky to implementā€¦ Android 6.0 APIs  |  Android Developers

191

Exactly what I have been trying to make senseā€¦ But canā€™t WHY this why not just leave as it was and spend time on some other useful stuff like biometrics verification instead.

Then there is this fee Monzo have to pay for this serviceā€¦ We are being told topups cost Monzo, overseas withdrawals do aswell hence fees but they are happy to spend on pretty lame implementation for a PIN recovery :face_with_raised_eyebrow:

2 Likes
192

Iā€™ve used a number of smaller company apps which have this. Even the much smaller Loot.io app has Android fingerprint unlock.

193

Agreed 100%, though PIN recoveries are, to be fair, quite rare things.

Thatā€™s whatā€™s really confusing meā€¦ looking at the API documentation, itā€™s a seemingly simple thing to implement. Perhaps Monzo doesnā€™t trust it for some reason?

194

Iā€™m sure there will be a reason, maybe relating to FCA approval.

195

Donā€™t forget development cost :robot:

196

Thatā€™s what Iā€™m wondering. Technically, itā€™s seemingly far simpler than integrating the OnFido process.

The call to the OnFido process is, at least on the surface, a far bigger piece of developmentā€¦

197

I think theyā€™re planning the overall experience so just like Targets, they donā€™t want to build something then re-make it.

@SC95 OnFido was already developed as part of Account Verification, Fingerprints/PINs would be new.

198

Not really, itā€™s just an API call either way, and probably far more testing with the OnFido stuffā€¦ All the ā€œnewā€ bits - the actual PIN recovery screens and all that would be very similar.

199

What I mean is, theyā€™ve programmed & tested OnFido integration, but not Fingerprints for Android. And Fingerprints are not universal.

200

Fingerprints not being universally supported is an issue, yes - but testing?.. I donā€™t see it. They have to test how either one behaves with the new PIN recovery screens anyway. Remember, theyā€™re not writing a fingerprint auth system, just asking the one Google has given them to check a fingerprint.

201

I am not expert but donā€™t most biometric security implementation come with a fall back on a PIN or password so if a phone doesnā€™t support biometrics it can automatically go onto PIN I know not too great but most new Android phones now are equipped with biometrics

3 Likes
202

The client-side API may be easy but we would need to rebuild a significant chunk of the service to support it. There are big changes coming to authentication and trusted devices coming to both platforms though! :lock:

As for the current PIN recovery flow, everybody is currently being put through the entire full flow every time. We will be iterating on this early next year but committed to shipping the very first version in Q4 2017 to comply with changes to PIN security requirements (from January, this system through the app will be the only way to retrieve your PIN, though there will be other verification options).

Additionally, there are a few assumptions in this thread that while it is not within my authority to call out specifically, are not true. :sweat_smile:

2 Likes