Currently, it's possible to change the "Preferred Authentication" setting (either hand recognition or passphrase) without first authenticating yourself.
Imagine someone knocks me out on the street, takes my finger and unlocks my phone and the bunq app, tries to transfer a large sum of money and is stopped by my passphrase. But... This person knows they can easily change the preferred authentication method without any further checks.
They change the setting from passphrase to hand recognition, scan my hand, et voila, money transferred/stolen.
Of course many solutions to this issue exist (e.g. mandate pin-entry upon transfer as ING allows in the Netherlands); adding this check to the bunq settings seems like an easy/non-evasive fix.
