Security - it doesn't 'feel' secure

HMRC has a similar thing. If you forget your ID you have to fill out a annoying form and get posted a letter which contains it. If you’ve forgotten your password I think you go through a similar process.

My dad has degrees in Physics (Cambridge) and Electronic Engineering so he’s not stupid and can fairly competently use a computer (he’s built a few from components) and yet this system persistently fails for him. The letters never seem to arrive and the website is unintuative and unhelpful so as a user, he doesn’t get a good experience at all. Just using him as a test case, we can see that the system here is broken - so, due to all the security the users cannot use the actual service…which defeats the point here!

Passwords are deeply flawed and I think there needs to be a more ground up solution than making it very very difficult for people to access their account. There is a need for security, but there is also a need for usability and arguably usability should come slightly first as you can build the most secure system in the world, but if users cannot use it then it is pointless.

3 Likes

I would hate to have a bunch of extra ‘security’ foisted on me that I don’t want. I’m fine with people being able to add passwords and such but personally I already have to unlock my phone with a fingerprint or passcode

I don’t want to do that again in monzo, especially since I just use a password manager for passwords anyhow

That’s my opinion. Low friction all the way - nothing will ever be 100% secure so I’d rather monzo go for ‘good enough and nice to use’

6 Likes

Personally, I’ve never been a fan of the passwordless login system, you enter your email -> they send you an email -> click login. I’ve never been a fan, however, it works, it’s secure, and makes ease of use for the end user.
You don’t have to remember a ton of details, or worry about putting them into a phishing website.

The only difference is, security then becomes down to the end-user, how secure is your email, can someone get a hold of this, and do you have steps to get it back if anything happens.

Therefore I recently changed my email to another provider to offer me with 2 step authentication.

When it comes to the mobile, once you’ve authenticated a device, it then becomes the security of how secure your login is on that, how many people do you let on your phone… I personally don’t trust anyone and change my passwords for email and phone every 3-6 months.

There was a discussion on Monzo’s use of JWTs: Security protocol observations

2 Likes

no it is not uncalled for. Anyone who dares to express an opinion on securing the app with password or pin or making steps in the app have aditional security layers gets promptly attacked by a number of ardent zellots (often regulars) who active in the community.

We have no objection to their views and while a solution is to have any settings optional they try and stamp on such ideas so we don’t even have that

1 Like

Just following this guide: https://community.monzo.com/t/users-who-criticise-monzo-get-shouted-down-here/23891

I’m not sure this conversation is going to be particularly helpful or solve the actual issue at hand. I suggest if you want to talk about people getting “attacked”, the above thread might be a better forum.

To summarise: the app is not massively secure, some people see this as a benefit others as a drawback. Discuss without responding to emotion in people’s posts.

5 Likes

Sorry you felt attacked - I know I have criticised having extra layers of security in past but never intended to ‘attack’

BTW, I never said don’t bring an optional setting if it keeps more people happy and feel secure but I can only say for myself that I don’t want to login once I unlock my phone

3 Likes

I know you feel very strongly indeed about this issue - we’re all well aware how many times you’ve raised it. However, diatribes like this just come across as trolling. You are adding nothing to the conversation. Can you not make a point without upsetting other people?

9 Likes

I also wouldn’t object to an optional setting for people that want it as long as it doesn’t make me less secure. My concern with a password/separate PIN is the weakness is usually in the recovery process. There have been numerous instances of social engineering of companies that have resulted in people losing control of their account because someone else was able to reset/recover the password. So if passwords become a feature, that is potentially another attack vector against my account, as well as those who want this feature.

2 Likes

Quite. Here at Royal Holloway it is possible to reset anyone’s network password as long as you know their ID number and DOB, ID isn’t personal information and DOB is trivial to find.

2 Likes

I am not trolling. An anti-pin or anti-password person trolls and when I reply to them I get attacked. You guys are happy to let posts when they reflect your view and critisise us if our views are different. If you let people post the one view you should not try and stop others with a different view replying to them

1 Like

This is your perception, not reality.

2 Likes

Here I disagreed with a comment by Feathers to Nanos. I should be free to support another user if I wish. If you want to police, direct and control these threads why not have every posted comment submitted for approval before it is shown. You can then ensure all threads reflect the corporate line of the Leaders or Monzo.

The point is, it gets really tiring seeing you repeat the same point over & over again. As I’ve already mentioned, it’s not going to get you the functionality that you’ve asked for & it wastes everyone’s time explaining what the situation is.

We know that the app’s security is being redesigned for v. 2 of the app, it’s pointless to debate whether the security is sufficient until then.

You’re not doing your credibility any favours by changing your profile picture like that either.

59

11 Likes

My problem with your disagreement is that you seem to be saying that you DO believe that anyone who doesn’t want the same security implementation as you do is “blindly” supporting Monzo.

I don’t think I’ve taken a side in this debate so it’s the assertion of “blindness” I was questioning and which you seem to be supporting.

If you really believe that anyone who disagrees with you is simply “blind” then…

(I think this is discussing content and not attacking anyone but that’s just my opinion! :weary:)

5 Likes

If you actually don’t read the thread in the order it appears but see what post the other leader was replying to it was to a comment I made to feathers in response to his reply to nanos. I felt Nanos had made a valid comment and I was right to support them in that. Not reading the replies as they link together may take it out of context, but if the conversation thread is read rather than a succession of posts it makes more sence.

anyway wot you doin here - :slight_smile: :slight_smile:

7 Likes

I did read the thread, once again, you bought this up -

I might not post much now but that doesn’t mean I’m not lurking :eyes: :slight_smile:

8 Likes

Please stop :stop_sign: this

Its just getting off topic if someone is not happy I think they can get in touch with CS directly for an answer.

3 Likes