Do you mean you expect me to give my banking site/app credentials to X?
PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.
Plaid, I believe, uses 3rd party auth with some banking institutions that support it, to pull read-only data from my bank account on my behalf.
South Korea and Estonia use government-issued digital certificates that private institutions can use.
There are lots of ways to deal with high assurance authentication, but very few are popular in the US.
> Do you mean you expect me to give my banking site/app credentials to X?
No no. Over here (Poland), the way this works is that you get a big list of banks, you click on one, get redirected to their site, log in there, complete any 2FA they need you to complete, are given the typical oAuth "this application wants to access this sort of data" consent screen, and then are redirected back if you consent.
This is mostly used for fast online bank transfers, which we often use for online payments instead of credit cards, but there's also a system to use this for ID verification.
Oh. In Single-Sign On / OAuth terminology, the bank’s website is the Identity Provider (IdP).
Banks in the US depend on government-issued ID and information contracted from credit bureaus (3 big companies that are effectively data brokers about consumer lending behavior). We have federated identity, but in a weird, ineffective way.
Every once in a while, someone bold makes a political proposal to make our authentication / identity proof systems simpler, but then people realize the privacy implications (and religious fundamentalists point to the “mark of the beast” part of the Bible) and then the proposal doesn’t go anywhere.
The interesting part about this is that such a system wouldn't necessarily need to come from the government. There are companies that need verification and want to do it cheaply and with little friction, and there are banks and carriers who could make some extra money on it.
Same system is used in Canada to authenticate indviduals who are logging into the government tax portal, or submitting their tax returns electronically through a tax preparation software.
> Do you mean you expect me to give my banking site/app credentials to X?
In Finland it is common for many online shops to handle payment, and authentication, using a banking account.
You never hand over your actual banking credentials, instead it is something akin to OAUTH2 - so you're at a merchant site and you'll see "Pay with Online BanK" with logos to click for whichever bank you have an account with. Exactly the same as "Login with Google/Github/Facebook/etc".
I changed my name last year, and due to other integrated services many companies automatically updated their records when the change became legal. These kind of integrations seem common and thus far "secure".
> PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.
Based on my experience with (non-PayPal) financial institutions in the past year, this is going away. For now, it appears you can still force them to fall back to this when providing your login credentials does not work, but who knows how much longer.
It was pretty good trick for validating ownership of a bank account back in 1998, but I’m happy they are moving to something else. There are far better options, and most banks are capable of much higher assurance validation now.
Do you mean you expect me to give my banking site/app credentials to X?
PayPal used two small (less than $1) transactions and the verification that I own the bank account was verified by correctly identifying the two transaction values.
Plaid, I believe, uses 3rd party auth with some banking institutions that support it, to pull read-only data from my bank account on my behalf.
South Korea and Estonia use government-issued digital certificates that private institutions can use.
There are lots of ways to deal with high assurance authentication, but very few are popular in the US.