[pfranz]

I actually think the opposite is happening. Yes, a few are adding OAuth flow-equivalent, but even more are adding 2-factor and other security measures that prevent a third party.

Maybe Plaid has enough clout to prevent it, but other services have dropped functionality for more and more accounts over the past 2-3 years in my experience.

[CraigRood]

IIRC, OpenBanking in the UK requires a re-auth every 90 days with the 2FA. I think thats a very reasonable balance, and means services don't have perpetual access.

[pfranz]

Oh, I'd be ecstatic if that's how it worked. Instead, I have to go through 2FA every time I want to update with some providers. Others say "Apologies, we're working with the provider to restore support" and have stopped working for years. Others I can transfer money but can no longer see the balance.

On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").

None of this is especially novel. It's just the incentives and efforts aren't there.

[vidarh]

It's frankly annoying. I wish they enforced a notification by some means instead (X still has access unless you do Y), at least for services that only need read-only access.