[chrisseaton]

Why isn't it done through a proper API that you grant them a token for?

And how do Plaid bypass your bank's per-login 2FA if they're logging in as is they were a user?

[pbreit]

Because not many banks have such an API.

Plaid just relays the 2FA question.

I think websites would have a tough time preventing users from sharing username/password. It would certainly be acceptable in a power of attorney situation.

[jjeaff]

Not only do they relay the login and 2fa information, they even show the login as a window with company colors and branding as if you were logging in to your bank directly.