Hi Lee-am, Let me elaborate on the ‘deliberate’ or by design feedback from our customer service team.
When you use a passcode or your Touch ID to access your phone, you have already verified who you are against the data stored in the secure hardware on your phone, so we don’t need to ask you for a passcode every time you want to check your balance or view transactions. That’s why, when you create your Starling account, if you have Phone Unlock settings on you don’t have to set an app passcode or use Touch ID for the app as well.
Of course, we recognise that for a lot of our customers, feeling secure runs deeper than cyber security - privacy and control are also important factors. So, we provide the option to enable an extra layer of security using touch ID or an app passcode at the app level for customers who weigh privacy above convenience. You can either choose to do this when you create your account or in the Account Management section of the app by choosing Login & Security. By turning on these settings, you’ll be asked for Touch ID or your passcode every time you launch the app.
So, why when you have unlocked your phone and when you have Touch ID turned off in the app, are you being asked to re-authenticate? When you background the Starling app and re-foreground it, if your session has timed out, we’ll ask you to re-authenticate with your device security. This is to re-check it’s you - just in case you’ve left your phone unlocked and unattended anywhere. That is why you’re being asked for Touch ID when you might not be expecting it.
Your feedback is shared by other Starling customers though, and whilst we wanted to achieve a model that allowed our customers maximum convenience while still secure because we have the added device security check, we acknowledge it might feel inconsistent. So, we are currently working on simplifying the model - and will update you when changes are released.
In the meantime, I’d love to get a gauge from you and other community members of whether you lean towards always wanting touch ID to access the app, or if (like me) you’d foster convenience over privacy?