Skip to Content

Cybersecurity & Standards, Government Surveillance, Privacy & Data

The Beginning of the End of Sharing Banking Credentials

If you use a money-management app like Intuit’s Mint.com or tax software like Turbo Tax, you may be familiar with the unfortunate practice of giving them your bank login credentials so that they can “scrape” data about your financial transactions and present them to you as budgets, tax filings, graphs, and many other useful tools to keep your finances in order. Even if you trust the entity you’re sharing with, sharing your credentials is usually a very bad idea, especially for important and sensitive accounts such as finance or health accounts. It could not only give someone you don’t know the power to see sensitive details about your life, but also allow them to change that data by making transfers or deleting or altering – even inadvertently – sensitive records.

This week, JPMorgan Chase and Intuit announced that they’ve agreed to a different model, one that not only vastly improves the privacy and security of relationships between banks and third-party financial tools, but also improves how these kinds of apps work.  This new process will eliminate cumbersome user interfaces for detailed account access information and will put more choice and control into the hands of consumers.

This new process will eliminate cumbersome user interfaces for detailed account access information and will put more choice and control into the hands of consumers.

What exactly are they doing? Using open standards, they have designed a way to get the data that third parties need without sharing bank customer usernames and passwords. For the techies out there: the bank implements a read-only API based on the Open Financial Exchange 2.2 (OFX 2.2) standard and tokenizes authentication via OAuth 2.0. In layman’s terms that means that third parties will only be able to read user-account data, and will not be able to write or change data in users’ accounts. Also, each third party will have a different “token” that allows them to read data from a user’s account.  Users can set those tokens to expire or delete, or modify them using a dashboard on the bank website. Notably, unlike changing a username/password combination, deleting a token won’t disrupt other linked services. (For example, if you have logged in to other websites with your Twitter, Facebook, or Google account, you are already using tokenized authentication).

In addition to being more secure, there are also important benefits to the usability of the security surrounding banks and third-party financial applications. At the most basic level, this will make the process of adding an account to a third-party financial application much easier and intuitive. Additionally, this will fix a lingering problem in the third-party financial application ecosystem: banks are steadily moving away from using simple usernames and passwords. Increasingly, they often encourage or even require their users to use two-step login (where in addition to a username and password, users need to enter a numerical code that is generated by their phone or sent to their phone via text message). Third-party financial services often break when they encounter two-step login because they cannot present the bank’s login interface. This can be frustrating for users to correctly enter the correct code at the correct time, and they may have to do that every. dang. time. they want to refresh data from that particular account. At CDT, we’ve been concerned that this might encourage users to turn off an important security feature like two-step login. With a tokenized model, the user can be directed through any kind of login flow the bank requires once — two-factor or not – and then an access token can be used subsequently to update finance data.

There are also important improvements for the privacy of customers. In addition to not broadly sharing passwords, the agreement between JPMorgan Chase and Intuit also binds how Intuit can use the information it collects. Most notably, while Intuit can share the information at the customer’s discretion, it will only gather the information it needs to provide the service and cannot sell that information to third parties. Collecting only the data that is essential to the service, and limiting the sharing of that data, are important principles and respect the user’s privacy.

We would love to see this model spread like wildfire across the banking and financial app ecosystem.

It has been clear for a while that the practice of sharing passwords needs to change. In a fantastic report, the Center for Financial Services Innovation (CFSI) outlined a number of essential principles for the financial data sharing ecosystem that counsel everyone to move to more available, reliable, secure, and curated data sharing, always under the user’s control. These are a great set of principles and I have been hoping to see some movement in the finance industry on this kind of framework.

We would love to see this model spread like wildfire across the banking and financial app ecosystem. There are a number of banks and financial entities that break third-party aggregation that we’d like to see fixed. (Personally, I get a text message once every few days when a particular financial application tries to access my Vanguard account.) It’s wonderful to see solutions that provide the win-win that this one does: users get more control, security, and a better flow; financial entities get less promiscuous sharing of sensitive credentials with third parties; and third-party finance apps get all of the above.