How can Quicken download bank transactions without me entering userid, password, and two factor code

smzeh

I don't use Quicken's password vault. I have two factor authentication turned on at all my financial institutions. When I do One Step Update, several of the financial institutions don't list the option to enter a password. When I do the update, Quicken downloads transactions and for some of them the download happens without requested a two factor authentication code.
I am concerned with two things: 1. Is Quicken caching userid and passwords somewhere when I'm not requesting this. 2. How is Quicken able to log in without using the two factor authentication code? I am following up with the applicable financial institutions on this one.
In the meantime, I've had to turn off online access from Quicken for all of these accounts where Quicken is not requiring a password entry from One Step Update.

Boatnmaniac

If you have not already done so, I suggest you read up on the types of connections that Quicken uses with Financial Institutions (FI):  Connection Types in Quicken [Support Article].

There are two types of connections used when updating accounts from within Quicken: 

• Direct Connect (DC):  This is the one that stores your login information in the Password Vault within your data file.
• Express Web Connect (EWC):  This one does not use Password Vault.  Instead, when you set up online access for the account the account login information (UserID and PW) are saved on the aggregator's server (Intuit).  The server then contacts the FIs at night and downloads a snapshot of your account information (account balance, transactions, etc.).  That data is then saved on the aggregator's server until you run One Step Update (OSU) when it is downloaded into your Quicken file.

PW Vault is used only by DC.  Since you do not use PW Vault then it tells me that the accounts in question are all set up with EWC.  You might also want to read this Support Article regarding it:  https://www.quicken.com/support/why-dont-i-need-enter-my-bank-password-download-my-bank.

The bottom line is that the only way to remove your accounts logins info from the aggregator's server is to deactivate the EWC accounts.  You will then need to manage those accounts manually....or I suppose you could go through the whole account online setup process with each financial institution, again, whenever you want to download transactions (but that could introduce a number of issues that you would need to spend a lot of time troubleshooting to fix).

Alternatively, if your FIs also support DC, you could set up your accounts with DC.  Then you can select to have your login info saved in PW Vault or, if you choose not to use PW Vault, you will then need to enter your login information each time you want to do OSU....but that is different from setting up online access all over, again.  And for what it's worth:  PW Vault saves your login information in your local data file...not on any external server.

Alternatively, if your FIs also support Web Connect (WC) you can use that.  It requires you to log into your online account and download the transactions in a QFX format file (also sometimes called "Web Connect" or "Quicken").  Then you can import the downloaded file into Quicken.

If your EWC FI supports DC, it will say in the Account List that an "Improved connection is available".  Click on that link and Quicken will attempt to convert your connection method from EWC to DC.  Just follow the prompts and be sure to link the downloads to the current accounts in Quicken if/when given the opportunity.  If that "Improved connection" link is not shown, then your FI does not support DC.

Regarding the 2FA concern: In both connection methods access to the FIs' websites typically is done differently (i.e., different ports) from how you or I would log in.  The FI and the aggregator often have their own contracted requirements for security access that are different than what the account holder might need to follow or have set up.   So even if we have our online account set up to require 2FA it is not uncommon that it is not required when updating from within Quicken.  Conversely, when we don't have 2FA set up with our online accounts, the FI might still require 2FA of us when we run OSU.

Let me know if you have any questions.

Boatnmaniac

If you have not already done so, I suggest you read up on the types of connections that Quicken uses with Financial Institutions (FI):  Connection Types in Quicken [Support Article].

There are two types of connections used when updating accounts from within Quicken: 

• Direct Connect (DC):  This is the one that stores your login information in the Password Vault within your data file.
• Express Web Connect (EWC):  This one does not use Password Vault.  Instead, when you set up online access for the account the account login information (UserID and PW) are saved on the aggregator's server (Intuit).  The server then contacts the FIs at night and downloads a snapshot of your account information (account balance, transactions, etc.).  That data is then saved on the aggregator's server until you run One Step Update (OSU) when it is downloaded into your Quicken file.

PW Vault is used only by DC.  Since you do not use PW Vault then it tells me that the accounts in question are all set up with EWC.  You might also want to read this Support Article regarding it:  https://www.quicken.com/support/why-dont-i-need-enter-my-bank-password-download-my-bank.

The bottom line is that the only way to remove your accounts logins info from the aggregator's server is to deactivate the EWC accounts.  You will then need to manage those accounts manually....or I suppose you could go through the whole account online setup process with each financial institution, again, whenever you want to download transactions (but that could introduce a number of issues that you would need to spend a lot of time troubleshooting to fix).

Alternatively, if your FIs also support DC, you could set up your accounts with DC.  Then you can select to have your login info saved in PW Vault or, if you choose not to use PW Vault, you will then need to enter your login information each time you want to do OSU....but that is different from setting up online access all over, again.  And for what it's worth:  PW Vault saves your login information in your local data file...not on any external server.

Alternatively, if your FIs also support Web Connect (WC) you can use that.  It requires you to log into your online account and download the transactions in a QFX format file (also sometimes called "Web Connect" or "Quicken").  Then you can import the downloaded file into Quicken.

If your EWC FI supports DC, it will say in the Account List that an "Improved connection is available".  Click on that link and Quicken will attempt to convert your connection method from EWC to DC.  Just follow the prompts and be sure to link the downloads to the current accounts in Quicken if/when given the opportunity.  If that "Improved connection" link is not shown, then your FI does not support DC.

Regarding the 2FA concern: In both connection methods access to the FIs' websites typically is done differently (i.e., different ports) from how you or I would log in.  The FI and the aggregator often have their own contracted requirements for security access that are different than what the account holder might need to follow or have set up.   So even if we have our online account set up to require 2FA it is not uncommon that it is not required when updating from within Quicken.  Conversely, when we don't have 2FA set up with our online accounts, the FI might still require 2FA of us when we run OSU.

Let me know if you have any questions.

Boatnmaniac

I should have also mentioned that some FIs have special login and/or authorization requirements for DC.  Some will also charge a monthly fee for DC connection service but many do not....Quicken will never charge for DC connections.  And, as noted above, some FIs simply do not support DC (it does cost them money to be able to provide this service to us). 

If you want to go down this path with DC you should contact your FI to find out about these things.  You can also try asking here and maybe someone familiar with your FI will be able provide you with that information.

smzeh

Thank you. This provided most of the additional information I was looking for. After reading the article you provided a link to, I called Intuit support to see if my passwords would be deleted once I deactivated Online Services from the Express Web Connect accounts. They did not know. Since they did not know, I will be changing the passwords for all of these accounts that I also deactivate. Knowing what I do about the different encryption implementations when financial institutions say "your data is encrypted", I don't trust them unless I know the specific implementation. If the data is stored on servers other than IBM z/OS mainframes storage, there is typically no ability to keep storage administrators from having the ability to decrypt data. Sure, there are policies and procedures in place to watch for unscrupulous access, but the potential is there. I hope that the credentials are stored on z/OS mainframes encryption and security access controls that allow storage admins to have access to encrypted data without the capability to decrypt it.