I have some issues with the wording in this article (I work at Plaid and I don't think everything it says about us is accurate) but the report is a good thing. Right now we really are dependent on screen scraping at many banks and we'd much rather use API-based connections to power our services, but so many banks just don't provide APIs. I'm optimistic for an open banking future in Canada and who knows, maybe even the US some day...
not only screen scraping. Plaid also gets around 2FA by asking to forward the bank sms code to them. It happened when i tried using Expensify recently.
That is unacceptable and goes against everything I know.
By "forward" you mean that we ask people to submit a 2FA code during login? YMMV, but I would characterize that as "supporting users who have 2FA enabled" rather than "getting around 2FA". Like I said, I'm looking forward to a world where we don't have to ask for credentials at all, but in the current world, we either support 2FA or we don't, and if we didn't, many people would probably turn off 2FA altogether. At a number of institutions, we actually add a layer of 2FA protection and require a SMS-based code if the institution doesn't prompt the user with its own 2FA.
