Capital One Requires 2FA to refresh

It seems as though I am required to use 2FA for my Capital One Card every time I want to refresh the data? Is this the case for everyone else? The process to connect works great. but then during the next refresh, even just a few minutes later will require authentication again. I’ve checked on the Capital one website and Tiller doesn’t show up as a Linked app. and there doesn’t appear to be a way to set up a third-party user.

1 Like

This is how Capital One and Tiller work for me. Every refresh requires 2FA. Text. Very much a PIA. (But, not as bad as my brother’s bank - his requires a literal phone call so he’s abandoned Tiller.)

@fmykey , Same process for me. I am moving all my transactions to another card as a result. Problem solved. Blake

I have the same problem. I use Tiller for ~20 financial accounts and the CapitalOne account is the only one that behaves like this, super annoying.

@heather I know I asked something similar a few months back via support channel. Can you guys talk with yodlee and get a timeline of when they intend to support captial one’s new API? At some point, maybe a year or more ago, they turned on a more official API and then made this non-official API a lot flakier and harder to use. The purpose being to stop using our credentials and start using login codes that let companies like yodlee/tiller access our records but can’t do stuff with our money. I know it took a little bit for Mint to get it implemented but that was done a long time ago now. I get coding takes time but at least give us an idea of where it is on the priority list.

1 Like

:100: this. My Intuit accounts connect just fine with Capital One as well as with my local bank Sunrise Banks but yodlee/tiller bails everyday. I love Tiller but I had to manually enter a bunch of missing data last fall and then reconcile all my accounts for 2019 because of it. This tends to skew my previous love of Tiller toward being way less helpful and more work for me. Not a good direction.

2 Likes

Having the same issue with Capital One and would love to know when this will be updated / fixed. Not a deal breaker, but adds 5-10 minutes of super annoying with every weekly budget review.

1 Like

@hfinkelstein,

Thanks for your feedback. The issue is not with our side, it’s a requirement between our data provider and Capital One so I don’t know that there will ever be an update or fix.

In the future we hope to offer the option to input the 2FA code directly in the Tiller Console for accounts that require it, but that’s likely a few months out. That should speed things up a bit, but the 2FA requirement isn’t going away anytime soon.

The next phase will be when banks and data provider move to using an OAUTH based approach to authenticating. It’s likely a year or more out from an industry perspective for major players like Capital One, Chase, etc.

1 Like

Thanks for the heads up Heather.

If that’s the case, why do providers like Intuit (Mint + Quickbooks) not have the same syncing issue? It seems like their integration doesn’t cause the same challenges.

Is this something that can be asked of your data provider?

Intuit is a data provider and has different agreements with the banks and the way the connection and feed is handled than our data provider, Yodlee.

You can read more about the progression of 2FA as a requirement and where it’s going here:

1 Like

According to the script that Capital One phone agents are reading from, “TillerHQ, Tiller Money, Yodlee are not 3rd parties that they connect with.”

Me to Tier 1 Agent: Why aren’t they on the list?
The Capital One Script v1: If they aren’t on the list they don’t currently meet the security standards for Capital One.
Me: So what are the security standards they need to meet?
The Capital One Script v1: Uhhhhh, that’s not listed. They would know what that is…the data partners know what that is.

Me to Tier 2 (Supervisor): Why aren’t they on the list?
The Capital One Script v2: Oh, because they haven’t agreed to our security standards. They need to agree to them and then we will list them as a 3rd party app.
Me: What are those security standards and how do they agree to them?
The Capital One Script v2: Uhhh, let me look. I don’t really see that anywhere.

I left things by escalating and asking higher powers-that-be to investigate and get back to me sometime in the next 2 weeks or so.

I really enjoyed Peter’s Great Blog post about what’s next for financial account authentication and security. It does a good job of clearly outlining the current situation in general.

So @TillerTeam, What specifically should Tiller customers be asking for from CapitalOne at this time to minimize the amount of time that we’re giving our credentials AND 2FA information to someone other than our Bank?

  • Is it for TillerMoney/TillerHQ/Yodlee to be whitelisted?
  • Is it to bring back the ING Direct Access Code Feature (a separate login that a customer can create on demand that provides read-only access)?
  • Is it to ask when they will be providing OAuth?
  • Something else?
1 Like

Hi @Scott.t,

Thanks for digging in with them on this and being persistent enough to go through their escalation :wink:

The next step is Oauth, but it is in the works on Yodlee’s side and then when the technology is available we hope to be on the forefront of implementing it. The timeline is still unknown at this point though so I now that’s not much help.

Basically, there isn’t much that you need to ask Capital One to do, it’s more just on Yodlee and us to catch up to the technology they’ve made available.

Heather

3 Likes