Mint.com and OAuth
Doesn’t exist. Hah! Anyway, Mint’s pretty cool, but I’ve already filed an issue on their GSFN page.
Sites that have thought about this already:
It seems Mint isn’t interested in it because they’re scared users will get confused about an “OAuth company” in the middle, which is not true if they design the flow correctly. Sure, it could be done haphazardly and just suck, but when users are told “This way we don’t know anything beyond what you tell us, and you can revoke our ‘special password’ at any time from your bank’s site, so if you don’t trust us, you don’t have to panic and change your main password” (in slightly better wording), they will appreciate the security features. In the meantime, like this comment on the mint blog to show your desires.
Chris Messina had this to say,
June 2, 2010 @ 3:14 pm
…so the problem, as I see it (non-corroborated) is that banks have two things holding them back from adopting a technology like OAuth:
* motivation. Why should they bother? For them, they already have a bunch of fraud and abuse prevention techniques in place based on current security methods. While they are trying to reuse their sunk costs in existing infrastructure with new features like chip-in-cards, the cost to try to get their partners to move over would not be insignificant, and the chance that it’d save them much money isn’t that great either.
* ancient infrastructure. The bigger problem that banks would need to get past is their archaic infrastructure that doesn’t support adding APIs or benefitting from more agile or modern development methods.
That last one is a HUGE barrier to achieving any kind of meaningful change — which is why I’m excited about efforts like BankSimple.