authentication - Is Plaid, a service which collects user’s banking . . . On Plaid’s website Citi, American Express, and others are listed as investors It appears that banks aren’t against this bad practice, and are, in some cases, actually encouraging it This makes me think that I might be missing something Maybe Plaid has some special access to banking systems and it isn’t as bad as it seems
I linked an account with Plaid. If I change my username and password . . . Some scenarios I have found online where Plaid might still have access include: Token refresh, cached data, and re-authentication, like if you re-auth with Plaid using your new credentials Again, it really depends upon a number of factors so it’s quite hard to say
Is Plaid safe if I change the password after deposit? Plaid technically yes, but they are safe What's not safe (Imho) that there is a possibility that someone will hack into Plaid in the future For the sake of this question I assume, that Plaid itself is safe (even so, they will have my password only for 5min)
authentication - Can someone steal money from my bank account if they . . . @TimX: yes, but 1 Even with authorization the payment can be canceled by the account owner without giving any reason within 2 months of the payment, no questions asked (you sign with your bank that it is your duty to check your account statement and that it is considered approved if you do not reject it within so many weeks after they provide it)
Should 2FA be enabled on service accounts? Assume for the moment the service you're authenticating against is 3rd party That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated
Where should I store OAuth2 access tokens? If the request to the 3rd party API is through your server, then store the access token in the database tied to the user, encrypted with a key that is stored as an environment variable