I wanted to share an idea we have to get your feedback. Hopefully it avoids some potential confusion, and also scratches a couple of long standing itches too!
Quick Summary - To avoid confusion with recent security regulation, we propose changing our current App Lock feature to be more secure, and to let you use your card PIN to unlock the app (if you don’t want to use biometrics). However, this will mean you’ll need an internet connection to unlock the app.
As a result of new rules affecting all banks(Strong Customer Authentication), you will need to authenticate yourself to keep using banking apps and websites at least once every 90 days.
When this happens with Monzo, you’ll be asked to enter your card PIN when you open the app, or use FaceID or your fingerprint if you have either set up. We’ll ask you do to this in advance of the 90 day limit to reduce the chances of getting locked out.
However, there is an existing feature that will create some added friction and potential confusion for some people - our biometric app lock. Right now, if you opt in to this feature you will be asked to provide your fingerprint/FaceID to enter the app.
We’ve had feedback in the past that app lock needs to support people who don’t use biometrics, and that it doesn’t feel secure (sometimes the app contents flash up before the lock screen, a side effect of us making sure the app lock can work without an internet connection).
The challenge comes once you need to your Strong Customer Authentication refresh and you have app-lock enabled. You’ll first be asked to use your fingerprint/Face to unlock the app, then will be asked again to do Strong Customer Authentication by entering your card PIN or using biometrics.
To keep things simple and avoid the potential confusion of lots of similar settings, we propose ‘merging’ these two features into a configurable security check.
How it would work:
- By default, you’ll need to enter your card PIN every 90 days to access the app
- If you like, you can decide for that check to happen each time you open the app
- If you turn on `Use Face ID/fingerprint for authentication’ the app security check will ask for that instead of your PIN.
If you have the biometric app lock enabled currently, you would automatically have this new ‘merged’ feature enabled to match your current settings.
In addition to avoiding the double-authentication issue, this would also enable you to secure your app each time it is opened with something other than biometrics.
However, as an internet connection is needed to perform Strong Customer Authentication, it will no longer be possible to unlock the app without an internet connection.
This shouldn’t be a problem for people using the default 90 days setting, but could add friction for people that decide they want a security check every time they open the app. It’s more in line with how other bank apps manage security, but it is a change, so we want to get some feedback first.
To illustrate the idea, here’s a very basic settings page, exciting I know!
We need your feedback!
Does this make sense to you? Is there anything we’re missing?
If you use the app lock feature currently, please let us know if this change would work for you.
Hopefully we can strike the right balance between security, friction, and too many different settings.