Downloads using Quicken Connect shouldn't continue to work after the account password is changed

KGMoore

This question applies to Quicken Classic for Mac version 8.3.1 running on MacOS 15.6.1. I setup downloads for a Fidelity Investments account (which has 2FA) using Quicken Connect a few weeks ago. Downloads worked correctly since it was established (but didn’t prompt for a password). Yesterday, I changed the password of that Fidelity account, and downloads continue to work, with no errors or prompts for a new password in Quicken. I have the following three questions:

1. Why wasn’t I prompted for the new password? Does Quicken Connect use a saved key or token and not the password?
2. Is there a workaround to force Quicken to stop using whatever it saved and prompt for a new password?
3. Where does Quicken for Mac save investment account credentials when using Quicken Connect? The Direct Connect method stored them in the login keychain, with one entry per financial institution. I want to be able to delete them, to not have them stored anywhere and force password prompting on every download.

Steven

I assume you're using one of the connection mechanisms that uses the Fidelity login page rather than having Quicken ask for the user name and password. It might not be obvious but the direct connect way brings up a Quicken dialog to enter the username and password. Using the newer mechanism, it would bring up a browser with a Fidelity web page and you'd enter the username/password there. You'd also get a Fidelity page asking if you wanted to okay the access and then a page that says something like "you've granted access, you will now be directed back to Quicken" and the page should/might go away.

With those mechanisms, once authentication has been established, Quicken (possibly Intuit) keeps a token that Fidelity issued and uses that for future authentication. In these auth flows, Quicken/Intuit has never seen your Fidelity password.

Changing you password has no affect on the validity of the token issued by Fidelity. To remove access, go to https://digital.fidelity.com/ftgw/digital/dae/fidelityAccess and use the manage access feature.

From an information security perspective, this token-based auth is far, far better than storing copies of passwords.

Steven

I assume you're using one of the connection mechanisms that uses the Fidelity login page rather than having Quicken ask for the user name and password. It might not be obvious but the direct connect way brings up a Quicken dialog to enter the username and password. Using the newer mechanism, it would bring up a browser with a Fidelity web page and you'd enter the username/password there. You'd also get a Fidelity page asking if you wanted to okay the access and then a page that says something like "you've granted access, you will now be directed back to Quicken" and the page should/might go away.

With those mechanisms, once authentication has been established, Quicken (possibly Intuit) keeps a token that Fidelity issued and uses that for future authentication. In these auth flows, Quicken/Intuit has never seen your Fidelity password.

Changing you password has no affect on the validity of the token issued by Fidelity. To remove access, go to https://digital.fidelity.com/ftgw/digital/dae/fidelityAccess and use the manage access feature.

From an information security perspective, this token-based auth is far, far better than storing copies of passwords.

KGMoore

Steven, thank you for this answer! Before I wrote this, I tried getting these questions answered by both Quicken and Fidelity customer support. Neither could provide an answer. Fidelity’s answer was based on the prior Direct Connect process.

After searching, I found Fidelity has written some basic information about their security system:  https://www.fidelity.com/security/fidelity-access-data-security  and  https://www.fidelity.com/security/third-party-app-protection . I also found the current UI path to that page link you provided. It’s in: Accounts & Trade -> Security Settings -> External Data Sharing -> Fidelity Access.