Every time I make a payment, there is a sticky prompt suggesting that I use FaceId in future. Now, I don’t want this, because in my opinion in reduces my security. At the moment, someone who holds me and my phone hostage, or who manages to fool FaceId biometrics, cannot make payments without extracting the PIN number from me, and this is the way I want it to stay.
Please change this prompt to offer an option of, “Don’t ask me again.” If I want to change my mind later, I can change things in settings. At the moment, there is friction at the point of authorising the payment, because I see this prompt and want to be certain that I don’t press it by accident…
There’s a big increase in pin based fraud taking place. With people shoulder surfing at various points to try to catch your pin.
Sure, it may not happen, but it’s a hell of a lot more likely than someone “fooling” faceid which I believe has only ever been accomplished once and cost vast amounts more than someone trying to just steal your money.
If someone is holding a knife you’ll give up your pin.
Having FaceID on and closing your eyes will mean it doesn’t accept you, but I think it’s highly unlikely you’ll shut your eyes and screw your face up if confronted.
There is the crux of the matter. It is just an opinion and not a fact I don’t see why the app should be changed because your opinion is not based on facts?
Hostage taker: Show me your face I want to log into your Monzo app and take all of your money
Hostage: No you can’t I have a PIN
Hostage taker: Ok, you’re free to go - sorry
Have you guys ever heard of ‘threat models’? Every person’s threat model is different. Joking around is nice and all, but if this person’s threat model is what he says it is, maybe it’s actually a serious matter?
Now, individual threat models aside, faceID can be less secure than a PIN generally speaking, as snatching a phone from someone and flashing it in front of their face could result in the attacker possessing a fully unlocked phone.
You can sing “it will never happen unless you’re in Guantanamo” all day long, until it happens to you or someone you know.
But here, it is Monzo that decides on the default threat model. AND provides a choice. It should not be up to consumers to decide on a banks threat model.
Monzo has its own threat models, but the important point under discussion here is the individual (customer)'s threat model. More often than not when we discuss threat modelling it’s about an end-user, not about the service providers.
I think the issue is that the OP finds the permanent placement of a less secure option is a) annoying and b) potentially (at least that’s how I understand it) at a position where one might tap it by accident.
I am not familiar with that screen (no faceID on my phone and I don’t use PIN for transaction confirmation) so I can’t tell to what extent (b) is a legitimate concern, however I understand the annoyance of an option that you’ll never ever want to use being shown to you over and over again.
If someone has abducted me to the point where they can manipulate my eyeballs to look in a specific direction for Face ID to work, I would have given them my PIN at a much sooner point than that.
I don’t see why the app should be changed because your opinion is not based on facts?
