IIRC, OpenBanking in the UK requires a re-auth every 90 days with the 2FA. I think thats a very reasonable balance, and means services don't have perpetual access.
Oh, I'd be ecstatic if that's how it worked. Instead, I have to go through 2FA every time I want to update with some providers. Others say "Apologies, we're working with the provider to restore support" and have stopped working for years. Others I can transfer money but can no longer see the balance.
On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").
None of this is especially novel. It's just the incentives and efforts aren't there.
It's frankly annoying. I wish they enforced a notification by some means instead (X still has access unless you do Y), at least for services that only need read-only access.
On rare occasion I see banks that have a revocable token. I can't remember the exact linking process, but presumably they don't get my credentials, I can specify read-only access and specify specific accounts, it need periodic renewal, and from the bank end I can see who I gave permission to and revoke access from there. This doesn't seem common and I'm not sure if all the clients support those banks (or if it's a limited "in-group").
None of this is especially novel. It's just the incentives and efforts aren't there.