Monzo has recently changed login security for Android devices (not sure about iOS). Previously, on login you could use biometrics and fallback to device PIN. Now, you can still use biometrics but fallback to card PIN instead. It’s troubling that this is being promoted as an increase in security, in my opinion - this is a reduction in security.
Biometrics are good but they can be bypassed and that has to be an option - face recognition/fingerprints don’t always work. Therefore, it’s vitally important that any pin code entry is also secure.
Of course, having a separate code to enter the app could be seen as better - it means if your device is compromised, the Monzo app isn’t necessarily compromised too.
However, there are a few issues:
A device PIN is not restricted to 4 digits but a card PIN is. I’m now forced to use a 4 digit code in place of the 6-8 digit code that previously protected me.
The same card PIN is now being used for two different purposes which goes against good security practices. We’re rightly taught not to reuse codes and passwords for different purposes but then forced to here.
Changing the code to enter the app is now more difficult. Because it’s tied to card PIN - presumably that means it’ll need to be changed at an ATM. Not good or quick if it has become compromised.
If we look at the competition i.e. what other banking apps do in this situation - in the half dozen others I use, they all use a separate passcode system for logging into their apps and they all support more than 4 digits.
Using a separate passcode from the device one makes sense but it should not be PIN and it must have the option to be longer than 4 digits. Ideally, it would be minimum of 5/6 to discourage PIN reuse.
Perhaps let people choose between using PIN and a separate passcode if you want to balance usability and security.