To protect your money, when you make a payment from the Monzo app we require that you authenticate yourself. By default we ask you for your Monzo PIN. If you enable biometrics for authentication (Face ID or Touch ID on Apple devices) then you can also authorise payments and other sensitive actions with your fingerprint or face.
There is no need to provide authentication each time you open the app because all payments are protected using your PIN or biometrics. However, if you also want to stop someone being able to easily view your Monzo app if they have your phone, you can enable "App Lock" within Privacy & Security.
When you enable "Authenticate with biometrics" (Face ID or Touch ID on Apple devices), the app is issued a secure token by our servers which it can use instead of a PIN to authorise payments and other sensitive actions. This secure token is placed encrypted in your device's secure, hardware-backed store (known as the Secure Enclave on Apple devices). The Monzo app is unable to decrypt the secure token unless you authenticate with your fingerprint or face, and no other apps can access this token. The app then uses this secure token to authenticate with the Monzo servers.
With App Lock, the app will ask for authentication every time it is launched. This is a privacy feature only – the Monzo data on your device is protected by the operating system’s underlying file encryption, not by your device's hardware-backed store. This is to allow the Monzo app to still be able to update your feed in the background (for example when you receive a push notification). Making payments still requires your PIN or biometrics, so if an attacker were to bypass this privacy feature they would not be able to move money.
We’d love to answer any questions you have about this! Feel free to get in touch at any time.