Posted on Leave a comment

Please allow your APIs to bypass 2 factor authentication – Mint and Paypal, I’m talking to you!

I use and love Mint.com. I use and love my Paypal security key. However, I cannot use the two together. Either I use mint.com without my paypal details (undesirable) or I lower the security on my Paypal account by deactivating my security key (undesirable).

Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.

[Source, Wikipedia]

What is desirable is the ability for to authorize certain applications to bypass 2 factor authentication in the same way that Google Accounts allows me to bypass their 2 factor authentication for applications that I trust. So, I should be able to go into my Paypal settings and say “trust mint.com without 2 factor authentication” and it would assign a key (guid, long string of characters, whatever) specifically for mint.com that effectively would be mint’s password into my Paypal account.

To make this work, would require cooperation between Mint and Paypal of course. To see this in practice, go to Google Accounts, turn on 2 factor authentication, then set up Gmail on an iPhone, Blackberry or Android. There’s the model.

See also: Google’s Getting started with 2-step verification for a demonstration of application specific passwords.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.