A Look at the Current State of Bank Account Authentication Login Security

The core of our work at Tiller Money is securely getting your data from your bank into your spreadsheet. Effortlessly.

Both our service and the industry are evolving here, and some significant improvements are on the way. 

As Tiller Money’s founder, I wanted to share an update.

Epoch 1: the early period of bank aggregation (up through 2018)

An industry of data partners (also known as aggregators) was created to help companies like Tiller Money securely access read-only data from customer accounts. The first customers of these data partners were actually the banks themselves. If you log into an account with most major US banks, you’ll find they have a feature that allows you to view balances and transactions from accounts held at other institutions. To do this, they (like us) use data partners. 

There are many data partners, but the partner of choice for banks is Yodlee. For example, when I login to Bank of America, I can use Yodlee to provide read-only access to my Wells Fargo account data from my Bank of America dashboard. 

At Tiller Money, we tested many data partners when we first launched our service, and we continue to regularly test out the options. We chose Yodlee as our data partner because their performance is best across most banks. We also value that Yodlee is the partner of choice for most large banks. 

Prior to 2018, banks typically only required usernames and passwords. When we started Tiller Money, we were surprised that banks were not early adopters of newer authentication methods. To their credit, banks have advanced behind-the-scenes tools that help them flag and stop suspicious activity.

Epoch 2 (today): the widespread adoption of two-factor authentication (2019)

Starting in 2019, more banks began requiring two-factor authentication (2FA) from all customers to access accounts online. No longer would a username and password be enough. This second factor means that most banks want to confirm your identity through another means. That often includes sending you a one-time code to your phone or asking you an additional question to confirm it’s you. 

This change is a big win for security. Everyone’s bank accounts are safer if it’s harder for unauthorized people to access them. Here at Tiller Money, we are big fans of 2FA.

At the same time, 2FA security adds an extra step for services like Tiller Money and our data partner to access your financial information. Some banks whitelist Tiller Money and our data partner, knowing that we are a trusted entity with read-only access to bank data (we can’t move any funds). In these scenarios, Tiller Money doesn’t need to ask you for a 2FA code again after it’s setup. 

Some banks haven’t yet whitelisted services like Tiller Money and our data partner, which means every time you want to update your spreadsheet you need to enter the 2FA information so Tiller Money can proceed. For these banks, our service no longer feels automatic because we need your help with a two-factor code every few days to update your spreadsheet.

Epoch 3: the move to new bank interfaces (late 2020 and 2021)

A new sea change is underway in the industry with additional performance and security. In late 2020 and through 2021 banks are moving to secure new interfaces (often referred to as APIs) designed specifically for data partners and services like Tiller Money. This has two major benefits, and it too is a huge win for customers.

First, these interfaces will provide the most reliable access to your financial data. It’s effectively like a service entrance into the bank: not designed for customers, but much more efficient for services like Tiller Money that want to securely access data on your behalf. Tiller Money will have more timely and accurate access to the information you share with us.

Second, these interfaces will use a form of authentication called OAuth. You will no longer need to share your username and password. Instead, you will log in to your bank and from there authorize access to Tiller Money and our data partner. You can revoke that access anytime from your bank. Your passwords are never shared. And Tiller Money will no longer need to prompt you for a 2FA code every day. 

These new interfaces are the most secure and reliable way for banks to grant read-only access to Tiller Money while putting customers in control. It represents huge progress for customers and the industry. At Tiller Money, the magic in automatic feeds into your spreadsheet will return for more banks. 

The large national banks will be the first to roll out these new interfaces. We plan to be an early partner testing and deploying these to our customers. Stay tuned.

Detailed Account Summaries in the Tiller Money Console

While the industry retools, we are continuing to improve Tiller Money and the experience today for customers today with two-factor codes. One step we’ve launched is a new Account Summary in the Tiller Money Console.

With this new Account Summary we’ll clean up your account list and speed 2FA prompts. You can now quickly see which accounts are related to which institution. Rather than a single manual “refresh” button we’re allowing you to specify which institution you want to manually refresh. We’ve found it provides a better experience for banks that require regular 2FA responses. We have additional improvements we’ll be rolling out this year too.

The industry is changing rapidly and for the better

The industry has moved from just passwords to passwords plus 2FA, and soon to entirely new interfaces for services like Tiller Money. Each step is an improvement in security for customers. The final step to new interfaces will also mean more reliable and timely data fed effortlessly into your spreadsheet. Thanks for being a part of this journey with us!