Interesting question. We could take that approach - but it could undermine the security of the feature (and the reason you’d choose to enable it) if all you need to do is remove an internet connection to get around it.
I think it might be possible to still authenticate without an internet connection if you decide to use fingerprint/FaceID instead of your Card PIN - which would lessen the negative impact here.
I don’t think this change will be limited to the new app design, it’s quite independent.
I use my fingerprint on every open, so with this change I wouldn’t be able log in without the internet?
I don’t understand, as I can use it currently without internet access - why just not keep it like that?
Or if this new regulation requires actual internet, why not use offline app login for 89 days, then switch to online on the 90th day, or better yet use the online when connected to the internet, and offline when not - that why the 90 day is constantly rolling (unless offline for 3 months which is unlikely)
Make sense or did I miss the point?
Only if you select SCA on every occasion. If you choose every 90 days they only that one needs internet
If I’ve understood it correctly 
Explained here:
In order to resolve the issue of asking people to authenticate twice in a row, the change is being proposed to merge the two so they only have to authenticate once. And as the SCA part of the authentication requires the internet, that’s why internet access will be necessary.
Answered:
I think this would be ideal.
So something like:
Day 1, Internet, Face ID - Opens, and resets the SCA clock.
Day 2, Internet, Face ID - Opens, and resets the SCA clock.
Day 3, No Internet, Face ID - App Opens - SCA clock ticks down one day (basically, current behaviour of Face ID to unlock app?)
Day 4, No Internet, Face ID - App Opens - SCA clock ticks down one day.
Day 5, Internet, Face ID - App Opens, SCA Clock resent
Would it get around it though - you’d still need to have your face to get into the app - so that security benefit is still there, but the SCA wouldn’t be validated? If you managed to go 90 days, without your face, or the internet, then the app would lock out - which is the desired behaviour right?
I’ve just played with the Santander app, which won’t let you in at all without internet. I like that Monzo does that, but I also like that I can use my face to open monzo, and prevent anyone I’ve given my phone to use from opening my bank.
If it was possible to do this “every time you open and have internet” option, I’d take that, rather than the 90s hard limit.
So I was just reading through EU 2018/389 (the SCA part of PSD2, as far as I can gather).
I’m sure monzo bods have poured through this enough anyway to gather an interpretation, but…
Looking at Article 10, which talks about exemptions to SCA - gives the example of ‘accessing balance info’ and ‘accessing transactional data’ importantly ‘in the last 90 days’ - and then talks about need to re-SCA
Does this mean then, I will only ever be able to scroll back to the previous 90 days of transaction history - to the last time I got SCA’d - and if I want to go further I’ll need another SCA?
Maybe I I didn’t explain it properly but Ben said it much better, that’s what I was trying to say.
Switching between authentication type in the background would work and be invisible to the user and let us connect when we don’t have internet, which is regularly for some.
This makes sense to me and is how I’d approach the issue if I’ve understood it correctly. I wouldn’t be choosing the every day option just in case.
Something in app (once you have passed security) that recognises you have an Internet connection and then prompts you to extend the clock 90 days could be another option?
I get the feeling that this will become one of those things that, once implemented, we will all get used to and forget about in no time at all.
Current implementation sounds about the ‘best’ (putting aside interpretations of the SCA which I agree are utterly ridiculous and not based on most modern smartphone usage).
It’s never great when regulation sets hard limits rather than principles and required outcomes.
PINs are now old and subject to shoulder surfing.
There’s an assumption here that an Internet connection is always going to be available or only out for a short while. What happens when one isn’t? (major power interruption, failure of ISP etc.)
While the proposed solution answers the regulation could another be to use the sensors all phones have, (gyroscope and screen etc) to authenticate users on a rolling basis so you’re always well under 90 days from the required authentication. We all have a way of using our devices that the existing sensors could learn. Could this give enough “confidence” to authenticate you continuously even when off line?
It’s also good to make sure that you never get to the 90 day trigger point by authenticating early as you propose. When say 70 days have passed and there IS an internet connection the App should prompt to authenticate and hassle you so you don’t hit 90 days unauthenticated. Good luck.
Yay!!!
Just what I’ve been hoping for as I use fingerprint to open phone and then PIN for any sensitive app. Personally requirement for internet not a concern for me.
I don’t think it’s matter of confidence, more that permission has to be explicit - see the earlier comment explaining why putting a PIN in for transferring money can’t count towards resetting the 90 day limit. One could suggest that this is a case where the legislation is a ass, so to say.
I think the original suggestion is fine if you have ID on for login.
all this about offline for several days/weeks is silly.
the app in my mind would be no use to man or beast if it’s not connected to the internet - no live bal, no updated transactions, no payments.
so if you have it check every time you log in, the most you would probably be without internet is a few hrs or a day. so this would not be issue.
Thanks for clarifying the requirement. Yes while maybe well intended, the regulation is not well thought through.
Good digging - I don’t know the full details on our implementation, but I don’t think you need to re-do SCA if you scroll back to transactions older than 90 days / your last authentication.
While I think it’s unlikely that someone is going to be disconnected for such a long stretch, I don’t think it’s out of the realm of possibility that someone is on holiday with sparse access to internet, or otherwise.
Purely from an access point of view, SCA aside, I really like that I can get into the monzo app and see as much as I can while offline. Sure I can’t access payments or have the most up to date balance etc - but I can still see transaction history and relatively up to date balances - it would be a shame to lose that, I think.
Yes, this is basically what I was thinking.
I think that’s how it would work if you use FaceID or fingerprint - but won’t be possible if you just use your PIN to authenticate, because we can’t store that on your device for security reasons.
The ‘can’t unlock the app without internet’ issue seems to only affect PIN-based unlocking.
If I understand this correctly I don’t see any issues with it. it’s unlikely someones device wouldn’t be online for 90 days with continuous use of the monzo app. Surely your feed would be suuuuper out of date.