Use App-Specific Passwords to Sync Accounts More Securely

It’s easy to set up app-specific passwords so that you can help safely share your Betterment data with your other financial providers.


In the days before everyone’s financial accounts were available online—and even still—you might bring a shoebox full of financial statements to an advisor, who would pore over them and manually input your data into a computer system. Any big changes in your financial life would require hauling in a new shoebox full of statements, and a whole new round of manual inputs. If this sounds inefficient, it is. But like many things in our lives, technology now makes this much, much easier and better.

Data aggregation is the general term for the process of streamlining, sharing, and storing financial information among financial institutions and financial applications, as well as the technology that facilitates it. This can be an incredibly powerful tool, allowing you to better organize a financial life that spans multiple accounts at multiple institutions: in addition to your Betterment account, you might have 401(k) accounts at your job, checking and savings accounts at large national banks, as well as student loans and credit card balances.

But, sharing data also raises concerns about security, and you may wonder steps you can take to help protect your financial information while taking advantage of all of the benefits of aggregation. This article encourages you to consider using a technology to help protect your data that is widely available but less widely used than it should be: the application-specific password (or “app-specific password” for short).

Tools that help sync external accounts offer a more holistic view of your finances but can lead to potential security risks.

To help you understand what the app-specific password is, and why we recommend that you use them, it will be helpful to talk briefly about how companies typically use and share financial data within the data aggregation ecosystem. Sharing data between applications raises the competing concerns of 1) making sure that you have the ability to authorize the applications you use to access the information you need while 2) also making sure that your sensitive financial information—for example, the value of your financial accounts, or transaction data about how and where you spend your money—is secure. Betterment takes the security of your information incredibly seriously, both when we receive your data from an aggregator, and when we provide your data to third-party applications.

Generally speaking, companies can be classified into three buckets in the data aggregation ecosystem. First, there are financial institutions, such as banks or brokerages, which are sources of financial account data. Next, there are “third-party applications,” which use financial information to provide other services. And third, there are data aggregators, which are the intermediaries that connect financial institutions with third-party applications.

In different contexts, Betterment is both a consumer and a producer of financial data. On the data consumer side, Betterment gives you the option of syncing your external accounts to your Betterment goals. Betterment also is a source of account data for other third-party applications. For example, you may use tax preparation software and want to export transactional data from your Betterment account to the tax software. Or, you may use budgeting software and want to sync your Betterment account to it.

App-specific passwords offer a middle ground between complete security and complete visibility of your accounts.

App-specific passwords offer a middle ground between the highest levels of security and the maximum ease of data sharing.

An app-specific password is generated by the financial institution that produces data that you, as a financial consumer, might want to share with a data aggregator or a third-party application. For example, you can generate a Betterment app-specific password for Mint, go to Mint, and enter that password, rather than your actual login credentials. Importantly, this means that third parties won’t have the ability to make changes to your account or withdraw money from your account. Since an app-specific password provides read-only access to your data, if a third-party application is subject to a hack or data breach, you can sleep easily knowing that a hacker who obtained your app-specific password would not be able to gain full access to your account as a result of that breach.

App-specific passwords compare favorably with other types of data aggregation technologies. One of these is “screen scraping,” which allows an aggregator or third-party application to log in to a financial account and capture the information that appears on the screen. There are serious downsides to this approach. Every time you share your user credentials, it increases the opportunities for a bad actor to obtain them; a hacker could compromise your account if it breaches the data aggregator or third-party application. And, because screen scraping requires sharing credentials that provide complete access to the underlying account, anyone who obtains those credentials has the potential to steal not only your data, but possibly to transfer money out of your account as well.

An alternative is an application-programming interface, or “API.” An API is a protocol or link between two applications that facilitates the exchange of data. There are many different approaches to creating APIs, but they typically allow the customer to exercise control over the data that is shared, including the ability to turn off access to the data whenever the customer wants. APIs have their drawbacks as well. Because they can be technically complex, APIs can be expensive to build. APIs also don’t follow any set technical standard, and unfortunately, many large financial require that data aggregators and third-party applications build to particular technical specifications that apply only to that one institution’s data. The end result is that APIs make sharing data more complex and, as a result, more expensive for you.

Although Betterment is certainly supportive of the data aggregation industry moving toward a shared open architecture framework for APIs (meaning that everybody uses the same technical specifications), we’re not there yet. It will take time, money, and coordination between financial institutions, data aggregators, third-party applications, and regulators to ultimately make that vision a reality.

In the meantime, we highly recommend that you take advantage of app-specific passwords, where available, to help protect the data that you share through aggregation.

When you use Betterment, we make it easy for you to set up app-specific passwords.

Here is a step-by-step guide for setting up an app-specific password to use when sharing your Betterment data. First, go to "Security" within Settings when you log in; scroll down to the section called “App passwords.” This is what you’ll see:

app-specific password setup prompt

When you are asked to generate a new app password, Betterment’s interface will then generate credentials for you to use to input into the third-party application, such as Mint or TurboTax. By entering this password, the application will get access to the data it needs in a read-only format, without providing full access to your Betterment account.

app-specific password setup screen

And, just like with an API, you have total control over how long the third-party application has access to your data. To end that access at any time, all you need to do is navigate back to the “App passwords” section on "Security" and click “Revoke,” which will terminate the permission associated with the app-specific password to access your data.

Use Betterment’s app-specific passwords, and encourage your other providers to adopt them.

We hope that you will consider using app-specific passwords where they are available, and that you will push your other financial service providers to make them available if they aren’t already. Using them may be a very small hassle now, but could save you major headaches down the road.