Strong Customer Authentication: Upcoming changes to developer apps

Hi everyone,

New rules for all banks, including Monzo, mean we’ll start increasing security around third party integrations with your account. So the way you give access to your data to apps created at developers.monzo.com is changing, and we’ll ask you to regularly re-authenticate to continue sharing data with apps.

We’re doing this because of new requirements for banks called Strong Customer Authentication (SCA) which come into force on the 14th September. They aim to reduce fraud and make online payments more secure.

We’ll ask you to authenticate in the Monzo app when you first give access to a developer’s app :sparkles:

As well as logging in with an emailed magic link, users of your app will get a notification from Monzo on their phone asking them to authenticate using their fingerprint, Touch ID, Face ID or PIN.

Your app will receive unauthorised errors if it tries to access your data before the user authenticates in the Monzo app.

Users of your app will need to re-authenticate every 90 days to keep sharing their data :recycle:

We’ll also ask them to confirm regularly that they’d like to stay connected to your app. Users can also manage connected apps by going to “Manage apps” in “Settings” inside the Monzo app.

Changes to how much data a developer’s app can access :eyes:

After a user has re-authenticated, your app can fetch all of their transactions, and after 5 minutes, it will also be able to sync the last 90 days of transactions. If you need the user’s entire transaction history, you should consider fetching and storing it right after authentication.

All other permissions will stay the same.

What you’ll need to do now :tipping_hand_woman:

Make sure your users are aware of these changes, and let them know that they will need to update their Monzo app before Thursday, 12th September to make sure they can continue using your app :spiral_calendar:

You’ll be able to read more at docs.monzo.com in the coming days. In the meantime, if you have any questions, please let us know here.

4 Likes

When you say users will need to re-authenticate every 90 days, can you expand on that? I’m visioning one of two options (but maybe there are others!)

  1. Every 90 days the Monzo app will ask users whether they are happy to let “App Name” continue to have access to their data. If they accept, everything continues working but if they decline then the 3rd party app will receive an authorisation error and can no longer receive info.

  2. Every 90 days users will essentially be logged out of all 3rd party apps and be forced to go back through the individual login flows (using magic links, and the prompt in app) for each app to re-authenticate it.

I’m hoping it’s point one here (and is seemingly what @kieranmch says in his recent Q+A but maybe I’m misunderstanding).

If it is the second one then that is pretty restrictive, especially for backend-only apps (think Flux, which doesn’t have it’s own UI per se).

4 Likes

Thanks for the question. It is the first option :slightly_smiling_face: Like you said, the second option has terrible UX and we definitely want to avoid that.

5 Likes

Thank the lord Monzo! :sweat_smile:

Doesn’t affect my apps too much then luckily, thanks for the clarity there!

This confuses me. Does it mean that an app will only have access to the entire historical list of transactions for 5 minutes after authentication, and then only 90 days worth of transactions after that?

That’s correct. This is a legal requirement set out in the Strong Customer Authentication legislation.

If you need the user’s entire transaction history, you should consider fetching and storing it immediately after authentication. Your app can continue fetching new transactions, and transactions within the last 90 days after that.

@hieu, do we get any notification that a user has “fully” authenticated (via the app)?

You mention that we only get 5 minutes to download the full list of transactions, but we get an error soon as they’re redirected to us after OAuth and I can’t see a way of finding out when they’ve completed full authentication to know we are able to download said list of txs.

Of course we could just poll every couple minutes, but that seems like bad practice and could quite easily lead to some level of rate limiting.

What’s the recommended approach for this?

Thanks!

1 Like

do we get any notification that a user has “fully” authenticated (via the app)?

Not at the moment. This is something that we’d like to implement in the future though!

Polling is an option. If you do it every couple of minutes you shouldn’t hit a rate limit. Alternatively, you could implement a way for your user to let you know what they’ve authenticated in the Monzo app.

1 Like

I had considered a way of users letting me know, but because of the 5 minute limit this isn’t really feasible. If a service requires that information, and a user forgets or can’t for whatever reason trigger that mechanism then they’d have to abort that cycle and restart - not a good experience!

Sounds like polling is the right mechanism (for the time being!)

Will keep an ear to the ground and hope for updates on this in the future! :pray: :wink:

Is the rate limit per client or per authenticated user? i.e. if I had 500 accounts polling at the same time would I have issues, or because they’re different authenticated users it’d be fine?

Appreciate the response too, thanks!

Just to clarify, the 5 minutes timeout starts from when the user approves access to their data in the Monzo app. It doesn’t start from when the user uses the magic link.

Yeah sorry I was aware of that - was just trying to figure out if there was a nicer way than polling for it. Hoping it doesn’t become too much an issue but will have to see :smile:

Are you able to comment on the rate limiting question I mentioned before, sorry? :pray:

I don’t know the details about how we rate limit API calls made by developer’s app, sorry. Let me try to find it and get back to you later. However, since there’s a limit to the number of users your app can have, I highly doubt you would hit it even if the limit is per client.

2 Likes

This doesn’t happen, the app just starts getting “forbidden.insufficient_permissions” errors.

There is no notification in the Monzo app, no advance warning in the Monzo app and no API to find out when permission is going to expire.

2 Likes

This is great!

Here we go again… the app changed from “N days remaining” to “Verification required” without any notification from Monzo, and the API starts returning errors:

{'code': 'forbidden.insufficient_permissions',
 'message': 'Access forbidden due to insufficient permissions',
 'params': {'client_id': 'oauth2client_*', 'user_id': 'user_*'}}