We asked the biggest financial providers how they secure your mobile banking accounts
With so many of us using mobile banking, criminals have become increasingly focused on stealing our phones to access our cash.
But what do banks and other financial firms have in place to stop unscrupulous thieves getting into our banking apps?
Some articles on the site contain affiliate links, which provide a small commission to help fund our work. However, they won’t affect the price you pay or our editorial independence. Read more here.
What is the minimum security you should expect?
Durgan Cooper, from cybersecurity firm Juberi, says at the very least your banking app should have biometric logins, like fingerprint or facial recognition. Two-factor authentication (2FA) is another key feature, adding an extra step like a text code along with your password.
He says: “For extra peace of mind, look for apps with features like Pinsentry devices or app-specific passwords. And don’t forget to keep your apps updated—they often include important security fixes – and use unique passwords for each app and website. This way, if one password gets hacked, your other accounts stay safe.”
What mobile security does my bank offer?
Barclays
Your online banking and app is protected by a secure login. This could either be a passcode, password, PIN or biometrics, such as a fingerprint or face recognition, if your phone allows it.
Barclays also has a PINsentry card reader or mobile PINsentry in the banking app. Both generate an eight-digit code that you need to enter before an online banking transaction can go through.
Chase
Chase customers can login to their app using a passcode or fingerprint. You’ll also need to use these to access different features in the app, such as seeing your PIN. You’ll be automatically logged out of the app after two minutes of inactivity or you can log out manually.
The Chase app is also bound to your device, which means that someone wouldn’t be able to steal your login details and login via their own mobile device.
Co-operative Bank
Once customers have registered for its digital process and passed security protocols, you can create a username, password and six-digit security code. These are then used to register for the bank’s mobile app.
Customers can authenticate their device using a one-time passcode sent by Co-operative Bank and once you’re registered you’ll login to the app using biometrics or your six-digit passcode.
First Direct
To log in to their mobile banking, First Direct customers need to use two-factor authentication. This requires you to prove your identity in two different ways, such as a password and a fingerprint or additional code that could be texted to you.
This is also needed for secondary authentications, such as inputting One Time Passcodes, to set up a new payee.
Once logged in, the application times out after a few minutes to further prevent abuse.
HSBC
Customers can use biometrics on the phone to authenticate themselves on their banking app. You can also use it for other financial actions such as adding beneficiaries and making transfers. After you’ve logged in, the app will time out if left inactive, and you’ll have to login again.
Lloyds/Halifax/Bank of Scotland
Lloyds Banking Group, which includes Lloyds, Halifax and Bank of Scotland, says it uses ‘multi-factor authentication’ to protect access to the app, even if the device is stolen and unlocked. However, it would not give any further details.
Metro Bank
When you download the Metro Bank app for the first time you’ll be prompted to register and authenticate your details. This will link your device to your account.
You’ll also be asked to create a passcode to login to the app. Once you’ve logged in with this, you can then set up a biometric login so you can access your account with your fingerprint.
Monzo
Every sensitive action on the Monzo app, such as bank transfers to updating your address, requires biometric authentication or a PIN.
You can also choose a ‘known location’, like home or work, where you have to be to make a bank transfer or savings withdrawal over your decided limit. If you’re not there, you won’t be able to do it.
In addition, customers receive a personalised QR code that’s printed or stored on a different device, which you’ll need to scan into the Monzo app to approve a payment or to withdraw your savings over your chosen limit.
Nationwide
Nationwide’s app uses face ID, touch ID, passcodes, and device fingerprinting. The highest risk transactions are protected by facial biometric or card reader security, both of which connect the user of the device with the owner of the account. These features are all set up and part of the process when you download the app.
NatWest/Royal Bank of Scotland/Ulster Bank
The mobile app is protected by a six (or more) digit passcode or a biometric feature, like your fingerprint or face. The app times out after two minutes of inactivity and then you need to login again. Any payments above £750 require further authentication.
Get the best of our money saving content every Thursday, straight to your inbox
+ Get a £20 Quidco bonus (new members only). More details
Revolut
Your account can only be accessed using a six digit passcode and biometric authentication, set up at the time your account is created. You need to activate the biometrics, it’s not automatic.
Revolut’s Wealth Protection feature verifies customer identity with a selfie, rather than the biometrics built into your mobile, which it says can be vulnerable if a fraudster gains access and changes the registered fingerprint or Face ID to their own.
Santander
Santander customers can set up biometrics, either your fingerprint or facial recognition, to protect their banking app. Alternatively, you can use a security number.
Once you’ve logged into the app you’ll also be asked for your biometrics or security number to access other information, like your card details.
Starling Bank
Customers must set up an app PIN and password when they first get a Starling account and you can also set up a biometric login.
The PIN is only valid for the device you set it up on and you must also go through a number of security checks to make the device ‘trusted’. This includes setting up a password and recording a video of yourself on your phone which matches your ID documents.
Trading 212
Your app is kept secure using a passcode, fingerprint or face ID, as well as two-factor authentication.
The passcode is standard while the other will have to be set up manually by you.
TSB
TSB uses biometrics, memorable information and passwords to protect customer accounts. These are set up at registration and you can update your preferences within your mobile app and online banking.
In addition, it implements two-factor authentication.
Virgin Money
Customers access Virgin Money’s app with a Pin code or biometrics, which is optional. Virgin Money advises customers to use a different Pin for the app from the one they use to access their phone.
Wise
Wise uses two factor authentication to protect accounts and transactions. Every new login or money transfer requires either a text message verification or biometric recognition depending on what you’ve set up in your account.
The New release of Apples iOS18 includes the ability to add facial recognition to all apps even if they don’t support biometrics.
As a further level of protection you can choose to hide the app in a hidden folder so it doesn’t appear in searches etc. this folder requires biometric recognition to open.
Both features are a massive help in securing your iPhone.
My concern isn’t so much with the banking apps – I have them all protected by biometrics. It’s more the other apps on my phone that don’t offer such protection and allow a thief stealing your phone when unlocked to access lots of personal information e.g. Google. Name, birthdate, email address, phone number and (partial) payments details are all accessible. Why every app doesn’t offer biometric log in is beyond me. Let’s face it, nobody is going to log in on a phone with a long and complex password every time they access Google
If you are using Android then Smartlock can automatically lock your phone immediately when it leaves you in person. Also, you can biometric lock any app by using the built in App Lock. These options have been there in Android for at least 4-5 years.
Apple may or may not have something similar.
If the thief shoulder surfs your mobile then steals your mobile and wallet containing bank card and driving licence, then yes, the thief has a good chance of stealing your money. Would probably need a shoulder surf followed by a mugging.
This topic was raised before. I experimented with my Halifax and Nationwide apps. My conclusion was, that at a minimum the thief would need.
1) pin to open mobile
2)Pin or password to open banking app
3) If thief doesn’t have pin or password for banking app, s/he will need:
a) account number from bank card or elsewhere
b) date of birth from driving licence or elsewhere
The thief might still have difficulty transferring money to a new account, for example Nationwide might require the card reader.