On iOS, other apps that use TouchID often have a fallback, but that fallback is the app’s password, not the phone’s unlock code (see Nationwide, 1Password, Starling, etc.). I don’t think iOS supports falling back to the phone unlock code.
I am not a programmer, but my understanding is that TouchID/FaceID essentially securely store the app’s login credentials. Your fingerprint/face unlocks the login credentials that are then supplied to the app. So the app has to have login credentials to be stored. Apps that have a fallback allow you to enter the login credentials directly. In this sense, Monzo is no different. The fallback if you cancel TouchID is to use the ‘send me an email’ feature to re-login to the Monzo app.
For whatever reason (someone with a better grasp of security implications can probably enlighten us), I don’t think that iOS allows you to use the phone unlock code to access the securely stored app login credentials. Presumably has something to do with how the secure enclave works.
TouchID/FaceID essentially securely store the app’s login credentials. Your fingerprint/face unlocks the login credentials that are then supplied to the app. So the app has to have login credentials to be stored. Apps that have a fallback allow you to enter the login credentials directly. In this sense, Monzo is no different. The fallback if you cancel TouchID is to use the ‘send me an email’ feature to re-login to the Monzo app.
Yes that is correct. An app can tell the system keychain “store this secret value and only give it back to me when user passes Touch ID/Face ID”.
That’s interesting. I don’t know very much about this stuff. For some reason I thought “store this secret value and only give it back to me when user passes Touch ID/Face ID” included a fallback to passcode.
If you go to >Settings >Accounts & Passwords on an iOS device and fail the Touch ID it asks if you want to enter passcode instead.
Is it only the OS that can request this option? I now assume this is restricted to Apple which seems a bit of a pain
Edit: if I fail Touch ID on starling I get this screen:
Ah, that’s interesting. For some reason I remembered the Starling fallback as one of the Starling-specific passwords I had to set up. I agree that if the phone passcode could be used as a fallback to unlock the login credentials stored in the system keychain, that would be ideal. (In the sense that it removes the need for Monzo to create a separate password and recovery process, not that it makes a difference to me as I think putting Monzo behind a fingerprint or passcode is an unnecessary hassle. )
I agree that it isn’t necessary for me. I can’t speak for others though, maybe if I had kids who borrowed my phone all the time and left it in places with games running that stop the auto lock feature (I wouldn’t let my kids use my phone full stop) I would be worried.
I was under the impression that this is iOS functionality so shouldn’t require a lot of work and might appease a few users
If you’re on Android you can place a PIN on Monzo already. I think having the security on the phone first is sufficient and should be a user option to configure an additional layer of security on the App itself. Having the PIN prompt to make withdrawals seems more than enough. What can you actually do with the Monzo app unless you know the PIN?
Pin is always required for transfers and I don’t use the Touch ID feature to lock Monzo because it’s unnecessary for me but I understand that some people are incredibly privacy focused and don’t want people to see their transaction history (maybe because they make an embarrassing amount of I find the wealthier people are the less likely they are to share their income )
It keeps coming up though so maybe it will be worth doing
Presumably it’s an optional thing an app can request, like ask for Touch ID but allow system passcode fallback. Looks kinda dangerous to me as the user has no way to know whether the prompt is legitimate or is just an app trying to fake it.
There’s more to locking an app than theft. What if you are a parent and you pass your phone to a kid to distract them while in the car. Perhaps you want that extra peace of mind that their favourite game doesn’t become ‘Monzo’, and they tap about in the app?
There’s a load of reasons that people may want an extra level of privacy on their banking app.
)
I find the wealthier people are the less likely they are to share their income 
)