Even with new tech companies like Plaid they're designing patterns that will compromise security down the line. Plaid has you enter your bank login information right on some third party website. While Plaid can be trusted, there's no reason to trust the third party with my bank login info. My password manager right doesn't work on these pages since it doesn't recognize the domain. But a less astute user may unwittingly give out their bank login info to some random site that makes a fake Plaid UI.
Please correct me if I’m wrong, but I believe Plaid uses an OAuth-Luke experience via an external tab/window to an encrypted sub domain of their website for authentication (so no middle man sniffing technically
possible).
Disclaimer: I do not work for Plaid, but have used it in the past.
If it is implemented that way there’s no way to tell from the user side. It just looks like it’s a part of whatever website you are on. My password manager even refuses to autofill.
