-
Notifications
You must be signed in to change notification settings - Fork 8
Security
As a first security precaution, it is advised to setup 2 factor authentication for your IFTTT and google accounts. For more info see:
If you use another cloud provider for hosting bunq2IFTTT instead of Google App Engine, setup 2 factor authentication/verification according to your cloud provider's documentation. If they do not support it, consider switching to another provider that cares more about security!
Depending on which triggers and actions you need, the following table list which security model supports which triggers and actions:
| Setup | mutation | balance | request | internal payment | draft payment | external payment | change card account | oauth expires |
|---|---|---|---|---|---|---|---|---|
| OAuth | yes | yes | yes | yes | yes | no | yes | yes |
| API key | yes | yes | yes | yes | yes | yes | yes | n/a |
As you can see, there are only two differences when using an API key over OAuth:
- With an API key, direct external payments are possible (see below for why this is a bad idea anyway)
- An API key does not expire, while an OAuth connection expires after three months. You can however use the OAuth expires trigger to remind yourself to login and reauthorize it. It only takes a few seconds every three months to prevent money loss!
A note on external payments: allowing bunq2IFTTT to directly make external payments is very dangerous. Not only can someone with access to your IFTTT account make any payments he/she wants, also if someone has access to your google account, he/she can find the IFTTT key and use it to get full access to all your accounts and other functions!
Instead, consider using internal payments for payments between your accounts and/or draft payments (which you need to approve in the bunq app). Both of these only need OAuth level security, which means that if your IFTTT or Google account is hacked you don't loose any money.
Also note that external payments are disabled by default, see Configure external payment action and need a source code change to enable it. This is however merely a precaution, because if you use the API key, you are still at risk to loose all your money if your API key gets compromised, even if this function is still disabled or only enabled for select accounts!