Sneak Peek: Updated App Lock

Hey all,

I wanted to share an idea we have to get your feedback. Hopefully it avoids some potential confusion, and also scratches a couple of long standing itches too!

Quick Summary - To avoid confusion with recent security regulation, we propose changing our current App Lock feature to be more secure, and to let you use your card PIN to unlock the app (if you don’t want to use biometrics). However, this will mean you’ll need an internet connection to unlock the app.

The Problem

As a result of new rules affecting all banks(Strong Customer Authentication), you will need to authenticate yourself to keep using banking apps and websites at least once every 90 days.

When this happens with Monzo, you’ll be asked to enter your card PIN when you open the app, or use FaceID or your fingerprint if you have either set up. We’ll ask you do to this in advance of the 90 day limit to reduce the chances of getting locked out.

However, there is an existing feature that will create some added friction and potential confusion for some people - our biometric app lock. Right now, if you opt in to this feature you will be asked to provide your fingerprint/FaceID to enter the app.

We’ve had feedback in the past that app lock needs to support people who don’t use biometrics, and that it doesn’t feel secure (sometimes the app contents flash up before the lock screen, a side effect of us making sure the app lock can work without an internet connection).

The challenge comes once you need to your Strong Customer Authentication refresh and you have app-lock enabled. You’ll first be asked to use your fingerprint/Face to unlock the app, then will be asked again to do Strong Customer Authentication by entering your card PIN or using biometrics.

The Suggestion

To keep things simple and avoid the potential confusion of lots of similar settings, we propose ‘merging’ these two features into a configurable security check.

How it would work:

• By default, you’ll need to enter your card PIN every 90 days to access the app
• If you like, you can decide for that check to happen each time you open the app
• If you turn on `Use Face ID/fingerprint for authentication’ the app security check will ask for that instead of your PIN.

If you have the biometric app lock enabled currently, you would automatically have this new ‘merged’ feature enabled to match your current settings.

In addition to avoiding the double-authentication issue, this would also enable you to secure your app each time it is opened with something other than biometrics.

However, as an internet connection is needed to perform Strong Customer Authentication, it will no longer be possible to unlock the app without an internet connection.

This shouldn’t be a problem for people using the default 90 days setting, but could add friction for people that decide they want a security check every time they open the app. It’s more in line with how other bank apps manage security, but it is a change, so we want to get some feedback first.

To illustrate the idea, here’s a very basic settings page, exciting I know!

Screenshot 2019-10-10 at 09.15.30.png790×1692 53.9 KB

We need your feedback!

Does this make sense to you? Is there anything we’re missing?

If you use the app lock feature currently, please let us know if this change would work for you.

Hopefully we can strike the right balance between security, friction, and too many different settings.

Thanks!

As long as, if I have the App Lock enabled but no internet connection, there is a message that states that then yes, this seems very sensible to have as an option.

I’m happy with my FaceID unlock so please don’t blat over that on the way! (technical term there…)

are there cheat notes with this post because i’m very confused

That’s the crux of it there.

So is this at all times or just if you select the ‘check every app open’ option?

However, as an internet connection is required to perform Strong Customer Authentication, it will no longer be possible to unlock the app without an internet connection

There’s no way for us to avoid needing an internet connection to unlock the app when you need to do a security check, but unless you choose to secure your app on every app open, you’ll only need to do this once every 90 days, and we’ll prompt you in-app ahead of time to re-authenticate, to avoid anyone getting caught out last minute.

Sorry, it’s hard to write about this stuff accurately without it getting a bit dense!

I think it’s more my lack of coffee

Might be worth saying on that screen in big letters that if you chose the every time option that you will need an internet connection, or is that later in the flow?

That’s a good suggestion, that mock up is very much illustrative, rather than the actual design

I’d say this suggestion is a good, more secure fallback for people without biometrics enabled - or available!

@Jami Can i ask how this will impact those people that have the use pin to verify transfers etc. setting

Will this basically be a non-issue for people who have this setting enabled? would rather not enable either of these and enter my pin to verify transfers already

Hey Nathan - Not sure I understand. Are you referring to sending bank transfers? This proposal would only affect the app-lock feature (which shows a screen when you first open the app, asking you to unlock before getting into the app), not any of the ways you authenticate other actions like Payments, PIN reminders, etc.

For Bank transfers, you’ll still need to enter your PIN, or use biometrics if you have them enabled.

Hope this helps!

Makes sense to me. I don’t use app lock at the minute but seems like a sensible approach.

I read this all as… even if you dont currently have a lock on your app (biometric or pin) due to the new SCA ruling youll need to enter in your pin at least once every 90 days to continue to use the app? Is my take wrong.

Secondly my question was if that first assumption i made was correct could this timeframe be updated so that when i currently use my pin for a transfer etc this could be used against that 90 day limit for SCA

I could be very wrong here and apologies if i picked it all up wrong

Aha! Got it!

Your understanding is correct - but unfortunately it’s not possible to count PIN entry for other things like payments as giving permission to access your account and transactions for another 90 days.

The permission needs to be explicitly for account access.

So I have to give Monzo (the app) permission to access Monzo (the account) every 90 days. Is that correct?

Whoever wrote the new SCA rules hates people.

I have face ID on for login and would be happy with this surgestion.
very rare to not have a internet conection.

as long as that is made clear on the screen when you turn it on.

I still have the old design (even when I am using the latest iOS app version). Will this affect me if I dont have the new design?

Might be rarer than you think in rural parts. We have no mobile signal here [and to be fair no shops either] but in the local [small] town I don’t think there is widespread public access to WiFi. R-

Is there any reason that if you have the “check every app open” option on, and there’s no internet, you can’t just waive the SCA check if it’s been < 90 days?