Security: Touch ID / Passcode when opening the app the second (or n-th) time


(Marcel Ruhf) #1

Hi there,

(This is in regards to the iOS app)
I have noticed that after opening the Monzo app for the first time in a session (with which I mean a continuous period of time where the phone is switched on) and closing it (pressing the home button once), it does not ask you to authenticate again when re-opening it.

Also, it seems like all details that were previously visible on the app can be view from the task manager as well, rather then being hidden.

I would suggest changing this.

Cheers.


Touch ID problems
(Peter McDonald) #2

Just tried this myself and agree with @MRMR. Bit of an oversight but it only seems to use touch id/face id for initially opening the app. I even locked the phone and reopened without being asked to reverify (obviously face id used to unlock the phone).

The task card should also certainly hide the details as this could be a privacy issue, people do not tend to close apps on Apple devices, therefore, the app could remain open indefinitely, although the details on the card would be outdated it would potentially leak info if someone were to pick up an unlocked phone or the owner was showing something on their phone.

Peter


(Jolin) #3

Are you and @PeteMcD both using FaceID? Is it possible that you’re just being authenticated immediately because of it?

I ask because I don’t even have the TouchID lock enabled for the Monzo app, and all details are covered up in the app switcher. So I wonder if it’s something around FaceID authenticating immediately.


(Peter McDonald) #4

Hi @jzw95 I do have Face ID enabled (manually enabled it in the settings. When you first open the app it prompts for Face ID before it will open, if you minimise the app and come back to it, it does not re-request face ID. To have it re-prompt I would need to physically close the app.

To make sure it was not just validating extremely quickly I have tilted the phone so the camera can’t see me (same sort of angle that stops the phone unlocking) but the app happily displays if it was already running in the background.


(Change Works) #5

It works as expected for me. There are two touch ID buttons in settings; they should both be on.


(Marcel Ruhf) #6

No, I only have TouchID and both TouchID toggles are both active.


(Marcel Ruhf) #7

@Anarchist yeah, but try closing it (just pressing home once) and reopen it, and it won’t ask you for TouchID.


(Change Works) #8

@MRMR Yes it does. I checked before I posted. I’m on an iPhone 6 and whatever the up to date iOS version is.


(Marcel Ruhf) #9

That’s weird - my issue is appearing on an iPhone 7 Plus with iOS 11.2.2.


(Peter McDonald) #10

Double checked mine as well. Both toggles on and not working as expected.

iPhone 10 with iOS 11.2.2


(Miles David Kenyon) #11

Hi there,

I know monzo has a lot on it’s plate atm but I think this is something that’s quite needed.

I think the features around touch ID need improving. At the moment when you add Touch ID there is no way to access the app other than Touch ID. There should definitely be a password alternative.

Also as an extra security measure the app should require said passcode or Touch ID again to enter when the app has been closed or between app switching. At this time it requires you to kill the app process in order for the Touch ID to become active again.

Thanks

[EDIT] I see others have mentioned the same or similar on other threads. The more posts the better I guess :smile:


(Change Works) #12

There is, but it’s clunky. If you press ‘cancel’ on the Touch ID screen, and the 'logout ’ you can log back into the app - you’ll need to know your card PIN, though. It could be better, obviously, and hopefully will be soon.

The other issue is a bug which is known, and hopefully they’ll sort it out soon.


(Peter McDonald) #13

a new thread was created in another section. I made contact with support who have confirmed that this is a bug and will be fixed in the next version of the app.