It's about time. When I learned that applications like YNAB (You Need A Budget) use services like Plaid to connect to my bank account, and that these services literally take my username and password and impersonate me to get my banking data, I was a little sketched out. I use YNAB every day, and having it connected to my bank account is incredibly useful, but if something goes wrong and Plaid loses my money somehow, is there any recourse?

Hopefully individuals will be able to use the Open Banking APIs to access their own data directly, but it looks like accreditation will be required, so probably not.

Here's the full text of the report: https://www.canada.ca/en/department-finance/programs/consult...

KerrickStaley

FWIW I use Schwab for banking and I was able to connect YNAB to Schwab without entering my password. It looks like Schwab supports read-only API access, and Plaid takes advantage of that to avoid needing your credentials.

As an added plus, you can keep 2FA enabled. Schwab does 2FA through an app so it's a touch above SMS-based 2FA (although only a single app is supported, Symantic VIP Access, rather than generic support for apps like Google Authenticator).

I also hate Plaid's model where you provide Plaid your credentials, and I've never entered my credentials into Plaid.

ZekeSulastin

If you trust python-vipaccess[0], you can use it to provision the token to load into your preferred TOTP app. It’s not a supported method but if you (or someone coming across this later) want to use another app it’s an option :) From WilsonHammer on Reddit[1]:

1) Install pip, a python package manager, using your OS package manager.

2) Install python-vipaccess by executing `pip install --user python-vipaccess`

3) Execute `vipaccess provision -p -t VSMT` - this will print out all the information needed. Note the Symantec ID (it looks like VSMT12345678). It is what goes in the "Credential ID" field when adding a new device on Schwab's website.

4) Save the `otpauth://...` data into data.txt.

4.5) (Optional) Modify the `issuer=Symantec` parameter to read `issuer=Charles%20Schwab` Also change `VIP%20Access:VSMT123456789` to your Schwab online banking username. These are purely aesthetic changes and will only make a difference in the label that shows up in the Google Auth app.

5) Install qrencode using your OS package manager.

6) Execute `qrencode.exe -o qr.png -s 15 < data.txt` to generate the QR image (qr.png) from your otpauth data file. The -s 15 scales how many pixels wide a QR block is in the image (in this case, 15).

7) Scan the QR image (qr.png) with your google auth app.

8) Go to Schwab -> Service -> Security Center -> Manage Two-Step Verification -> Add another Security Token and input the Symantec ID from step 3 (it looks like VSMT12345678) and the current rolling TOTP code from the Google Auth App. (If you use Authy you may have to type it manually)

[0] https://github.com/dlenski/python-vipaccess

[1] https://www.reddit.com/r/personalfinance/comments/hvvuwl/usi...