Second, Plaid will use app passwords if you have 2FA enabled and your bank supports them. This is the correct way to handle that scenario.
Third, Plaid saves me a lot of trouble and I have come to trust them. I am happy to delegate responsibility to them.
Why is it inherently bad to trust a 3rd party?
US Banks not only use SMS for 2FA, many of them REQUIRE it for 2FA.
They also tend to require "security questions" that are usually easily guessed or researched. Again, information that makes it easier, not harder, to get into your account.
Good luck trying to find a bank that uses hardware tokens.
> Why is it inherently bad to trust a 3rd party?
Because doing so substantially increases the attack surface and historically third parties have done a terrible job.
For example: every app that uses SMS 2FA inherently trusts the customer's cell phone company. Companies which have done little to address identity thiefs porting out numbers, requesting replacement SIMs, etc.
You don't need to lecture me on how trust delegation works. I mean you use a bank right? You trust a 3rd party with your actual cash. Plaid hasn't demonstrated incompetence, have they? In fact it seems quite the opposite. There isn't any legitimate case against using them aside from "I literally don't trust anybody" which is hypocritical if you use a bank in the first place.
Why would I use them?
Anyway my bone to pick is with the “3rd party instantly bad” mentality. Your bank probably uses 1000 and 1 3rd parties too. Our banking regulations are focused on making sure money depositors aren’t taken advantage of and harmed by unhealthy or risky asset management practices. If you don’t find Plaid valuable then thats fine, you do you. I do wonder how you can know that without using them though…
Also, have a quick look at the "data we collect" section of their privacy policy and see if you still feel the same way: https://plaid.com/legal/
It's shockingly broad, and 99% of it is stuff that they have no business collecting when all I'm trying to do is buy a car.
Here's what happens:
Tesla says I want to verify that a human is purchasing a car, take a deposit, and get the information needed to pre-approve the customer for the loan required to buy it.
Plaid says, we can do that for you. Plaid has you link your bank account so it can 1) verify your identity, and 2) give Tesla the information needed to debit your account. Then Plaid pulls your account history and asks you to link additional accounts as needed to get the relevant information for the underwriting process.
This allows Tesla to complete this process entirely online without a dealership in about 2 minutes. If you've ever bought a car traditionally, applied for a loan, or even linked bank accounts into a budgeting app, this is an incredible UX win for the user. Shocking, even.
