In my view, it doesn't matter if two-factor authentication makes it harder for other services to aggregate your data.  Two-factor authentication is extremely important, and I believe it is worth giving up some convenience for the added security.

Note that the most important thing to secure with two-factor authentication is your email account.  That's because most services will send you an email as part of their password reset process.  If someone gets into your email, that could result in much bigger hassles.  That's why your email security needs to be absolutely solid, with a long, hard-to-guess password and 2-factor authentication.

Perhaps I am overly cautious, but I do not trust the aggregators (like Personal Capital, Mint, etc.) to maintain the security that they claim they do and have not used them for several years. The information that they provide is outweighed, in my mind, by the risk of creating an unnecessary portal to enter my accounts.

Vagabond MD wrote:

Perhaps I am overly cautious, but I do not trust the aggregators (like Personal Capital, Mint, etc.) to maintain the security that they claim they do and have not used them for several years. The information that they provide is outweighed, in my mind, by the risk of creating an unnecessary portal to enter my accounts.

Click to expand...

Agree.  I never used them for exactly this reason.

When you use two step authentication, your personal capital will have an issue everytime you login to update the data.  It will give you a red ! point next to the account.  You click it and it will ask for the two step auth ## that vanguard will send.  So, it requires an extra step.

Even if Personal Capital gets hacked, their encryption key leaked, the hackers will still need two step auth to get into my account.

 

Furthermore, everyone should use two step auth for all your accounts (yes, hackers can intercept texts and re-route them), but you'll probably be safer then 99% of everyone else out there.  You should get yourself a password generator (like Lastpass).  I actually have no clue what any of my gmail, vanguard, etc passwords are.  Also, longer passwords are better than shorter ones (and length is the most important aspect that makes it hard to hack).  I have my passwords set to 24 (some websites will limit length).

Below HSIMP (https://howsecureismypassword.net/) is a brute force password hacking.  Basically guessing.

"Passfautl Analyzer (http://passfault.com/) uses all sorts of methods for determining how secure your password is. This might include dictionary insertion, dictionary substitution, dictionary misspelling, repeated patterns, keyboard patterns, and more. So the Passfault Analyzer tool will usually calculate a lower time since it takes into account more than brute-force when analyzing your password."

Notice longer is better, then adding in random characters.

 

Type	Password	Time (HSIMP)	Time (PA)	Security Level
8 character common word	required	52 seconds	<1 day	Useless
8 random characters	qkcrmztd	52 seconds	<1 day	Useless
8 random chars w/numbers	kqwbv832	11 minutes	<1 day	Useless
8 random chars w/mixed case, symbols, & numbers	J5bZ>9p!	20 days	<1 day	Risky

 

Type	Password	Time (HSIMP)	Time (PA)	Security Level
Passphrase 1	i own 2 dogs and 1 cat	1 sextillion years	330130 centuries	Secure forever
Passphrase 2	I own 2 dogs and 1 cat!	30 octillion years	8594846 centuries	Secure forever
Passphrase 3	#I own 2 dogs and 1 cat!?	285 nonillion years	1220882818 centuries	Secure forever

I have always wondered why financial institutions don't make a "read-only" limited access dummy login of sorts that consumers can give to these data aggregators and even if hacked/stolen they would only show what's in the account (without access to SSN, full bank acct #s) and allow no action to be taken. Not sure if this is possible or other ramifications entailed, but seems like something that might have promise.