GoCardless - Do you trust them?

[lagset]

Hi there, I am tinkering around with firefly-iii to host it on my local Synology NAS. So far, I set it up and getting familiar with the concepts. I did a dry run with some CSV export from my main bank and account which worked well.

If this is too offtopic, feel free to delete this discussion.

Now I wanted to give GoCardless a try, since my bank is supported and it would allow for a automated import (via cron), so transactions would flow regularly into firefly which is a level of convenience I am aiming for.

So, I set up my GoCardless (previously Nordigen) account generated the Secret ID and Secret Key for firefly, ran the firefly importer and entered both ID and Key. Then I am redirected to gocardless to authenticate with my bank. And here the trust issue is raised:

GoCardless asks me for my bank id and password - however, therefore it does not redirect me to my bank so I can authenticate directly at my bank (like I know it from Google, etc.) but instead, honestly, shows me a input field for "bank id" and "password" on their webpage with a small text beneath it assuring "we wont mess with you credentials".

I am a little bit "surprised" that this is a valid way to implement PSD2 Authentication for a API provider with the scale and reputation nordigen/gocardless.

For me, I have not yet "had the courage" to type my data into the form and probably won't have it in the future. They are effectively asking for the most valuable (in materialistic sense) piece of information I am owning.

So, I'd like to ask:
Do you trust them? Why so? Or is the authentication process different for each bank? Thanks for your opinion.

[diamant-x]

I guess it's different for each bank.
In my case, I've tried 3 different ones and all of them I get forwarded to a bank-owned website for the login form. Then it sends back the authorization token to gocardless, and then to FiDi.

"So, I set up my GoCardless (previously Nordigen) account generated the Secret ID and Secret Key for firefly, ran the firefly importer and entered both ID and Key. "

I think some step is wrong here. I assume you already did the FF3 token to connect your FF3 instance and the FiDi instance because you already worked with CSVs. Then to use gocardless you need to conduct the whole setup process from within FiDi. No need to generate the keys outside of it. On home page of FiDi, the option in the middle and just go next-next-next through it. At the end, save the config file to retain the generated authentication keys for your bank.

[lagset]

Thanks for your input!
I just checked GoCardless Import using PayPal and you are right, the authentication flow is differntly. I get redirected to Paypal to sign in and allow the connection to GoCardless. So, obviously my bank is not supporting a proper authentication pattern.

About the wrong step you mentioned. I think I wasn't precise. With Secret ID and Secret Key I meant the GoCardless ID and Key which is requested by the importer to connect to GoCardless.

Anyhow, PayPal import worked via GoCardless. However, for now I won't use it for my bank, because of the untrustworthy authentication flow.

[diamant-x]

Ah, I forgot about the nordigen user account id+key, as I've been years using it.
I understand your concerns and I too would be doubtful. I would suggest to reach out to your bank IT area or support (as if you were a developer for a new PSD2 app) and ask them about that. I've been able to get updated information from mine in the past from issues on the data collected with nordigen (missing mandatory PSD2 fields).

On the other hand, if they have enough security levels implemented too as with other banks, one could potentially say that a password should only allow them read access to your bank. Any attempt to purchase, expend or transfer money from it should require a 2FA token from your so, even if your password was misused, its impact should be controlled.

Good luck!