On Sat, Oct 8, 2022 at 10:27 PM Jack via KMyMoney-devel < kmymoney-devel@kde.org> wrote:
While direct connect using ONLY name/password may not be considered > safe, I can think of ways to still use Direct Connect with 2FA. For > example, any attempt to make such a connection triggers a text to a > mobile phone, where you can reply "Y" within some limited time to > authorize the connection. A variant is something that Heroku uses > (owned by Salesforce, it's hosting site for web apps) which is a custom > phone app. When you try to log in to their site, the app pops up and > you click OK or not, to allow or block the login from a browser. > That's exactly how these "Open" APIs work. That's not the problem, actually, we could totally use those APIs instead of Direct Connect. The problem is the added requirement of being a pre-authorized entity via on-purpose-issued certificates, as opposed to a regular TLS encryption. I created an account with https://developer.chase.com and am about to send a message, asking if they could look into our case. The FinTS precedent could help. > Absolutely no reason to totally scrap something that has worked well > for years That's a bit of a one-sided view. Banks have to fight fraud, so a simple user/pass login had to go. Even if it may never have affected you, it definitely have others, and banks are usually at financial responsibility for that. So it's understandable that they strengthen their security. > give various commercial entities near full access to your > financial information. I largely trust my bank to do a good job > protecting my data, but I'm not at all so comfortable with Intuit or > Yodlee (who I never heard of until this discussion.) > Well, no one is forcing anyone to do that. Yodlee/Saltedge are just integrators, the commercial software uses them out of convenience, as this relieves them from having to deal with all the banks individually — both in terms of integrating with their often unique/quirky APIs and getting their authorizations. Yes, they put their users at disadvantage by doing so, but it's their problem — which they obviously also rather conveniently don't mention (vide Banktivity). I wonder if FSF and/or EFF might take any interest in the direction > this is going. > I'll respond to that in the other e-mail you sent in that regard. -- Best Regards, Dawid Wrobel
