Why don’t you have random questions such as you have a direct debit with which of these companies? You have your salary paid by which of these companies? And have a list of answers. Nothing ridiculous like you spent 1.50 in 2016 where etc
Although only you would know this info I can imagine it would take a while to login if you were in a rush?
1 Like
I doubt it - for a question that pops up instantly it wouldn’t take any time to answer it.
Imagine if it said: Which of these companies do you have a direct debit with?
- 3
- O2
- Vodafone
It would probably take you less time to tap the answer than entering a PIN would
I have one with each of them ha ha !!
2 Likes
True! For some reason I was thinking you’d have to type the answer. Maybe a 33% / 1/3 chance of getting in though isn’t the most secure unless they ask more than one question. I guess it’s personal preference it could work!
1 Like
Questions like that are very easy to bypass with a bit of research on social media. Not to mention for the “phone network” question you can just look at the carrier name displayed on the phone itself.
2 Likes
Yea that one might not be so secure, didn’t think of that 
Not that I forget PINs but having desperate ones I find as an annoyance. Just like having passwords, I much appreciate when a company comes up with a better way to authenticate.
1 Like
Well. I think it certainly needs to be offline accessible surely so Option 1 out? Option 2 sounds great but then you do have a potential security/usability issues.
I would say Option 3 has to be the way. Help people distinguish by not relying on anything numerical as well (which could cause confusion between PIN, Passcode, app unlock code). Perhaps a pattern unlock ala Android phones?
8 Likes
I think Google would have something to say about that though
1 Like
The second option is really the only option as far as I can see. Don’t agree that most people can’t remember more than 1 pin, especially as people have multiple cards and some people have a pin unlock on their phone etc so multiple pins to remember already.
I think restricting it to online access would be a bad idea especially for people who don’t get consistent mobile data and or broadband (a fair chunk of the country).
The pin being the same as your card also doesn’t seem very secure to me as if this option was chosen and publised then it would make it very easy for someone to get into your account if they gained access to your phone and knew your pin number.
Although in all honesty I don’t see an extra pin as being necessary anyway. Just don’t give your phone out to people you don’t trust and if your phone gets stolen then you can just get Monzo to freeze your account for you
Didn’t realise Google had patented that! However, I still think having something non-numerical so that it would be easier for the majority to distinguish what the app was asking them for is a better way.
I won’t use this feature but if I was forced I would use the same pin as my card but TouchID would be better.
I’d quite like the option for a password, passcode/PIN (any length: yes, it’ll probably be a ‘PIN’ but refer to it as ‘Account Passcode’ and have the card have a ‘Card PIN’ and hopefully people won’t set them to be the same) and/or NFC authentication with Yubikeys (or similar) or the registered Monzo card for Android phones.
I’ll be interested in how this will work security wise as well. If someone gets my phone and all they need to do is uninstall Monzo and reinstall it to bypass the security lock (they’ll have access to my email on the phone), it’s a little bit silly…
I’ve voted for ‘Option two: use a different PIN/offline access’ (how much can you actually ‘do’ in app offline though?), and would vote down ‘Option one: using the same PIN as your Monzo card’ in an instance as the only thing stopping people setting up new payments is the card PIN and if you have to enter it regularly to access the app urgh. My Revolut ‘app access code’ is different from my Revolut PIN (and my phone is secured by a third ‘access code’) - so why can’t that be the case for Monzo.
1 Like
For iOS users… another vote for the phone’s built-in passcode here. If someone is not using biometrics, they are more likely to be using the phone’s default passcode option for security. The advantages, as stated multiple times, are not having to remember a PIN solely for the Monzo app and of adhering to basic standards on the phone which are familiar to all iOS users.
The Android implementation should probably follow whatever the default conventions are there as well.
3 Likes
I’ll never use it but I guess Option 2 would be the best out of those although it carries the risk of people using their card pin/or a similar variant that just makes them more vulnerable.
I think people need to remember that this would only really increase your privacy should you let others use your phone and not necessarily the security of your account. Merely accessing the Monzo app only really provides read-only access at the moment (and pot transfers), your card PIN/fingerprint/face and other forms of verification are required to do anything like move money out.
I also hope people that rely on actually using the extra privacy methods as security use similar methods for their email app - otherwise you could easily bypass this with possession of the unlocked phone… But still, they would only get read-only access.
I do understand the demand for things like this: privacy options for those unable to use the existing methods of biometrics. But it also makes apparent people’s desire to ‘feel’ secure whilst adding potentially unessessary steps and friction.
2 Likes
On Android I’m sure you could authenticate by asking for the device pin/password.
But my preferred option would be to have a new pin/password code
I think it is a significant additional risk to use your card PIN on the app as this can be viewed over the shoulder much more easily than at a cash machine/POS terminal
Alternative: When setting the PIN lock up, check the entered PIN with the server, if it’s the same as your card pin then alert the user that they won’t be able to use the app offline if they want the “mental convenience” of the same PIN, but they can if the use a different PIN instead?
You could probably game this approach by changing your card PIN to something else, setting the app PIN to your old PIN, then change your card back
I’d expect the app to let you pick whatever PIN you wanted, and have it 6 digits/characters. Loads of apps have a 6 digit option so I do reuse it, but they’d have to have already unlocked my phone anyway. (I prefer to turn off PIN lock options on apps, but most don’t let you). So long as you could skip it with biometrics (Touch/Face ID) then I’m fine either way.
I think option 2 is probably the best option - purely for offline reasons. That said, emojis probably fit with Monzo a lot better
I’ve had issues where I can’t unlock the app (or use Apple Wallet for payments) during the heat. If you’re hands are wet / wrinkled the TouchID won’t work, but the touchscreen / pin input would. I’d think that the PIN input would be good as a back up as Touch ID isn’t always reliable.