Note: This page was deprecated in June 2020, as linking accounts via API calls is no longer supported. The information is left here for the convenience of customers using older software.
Using Public Key Infrastructure (PKI) Encryption
Although Yodlee FastLink provides a convenient means of linking user accounts, customers sometimes choose to build their own account linking experience. Envestnet | Yodlee provides requests that can support linking user accounts to enable custom UX flows. These requests accept sensitive information such as a user’s credentials for a financial institution and they protect this information using transport level security such as SSL (secure sockets layer).
Public key infrastructure (PKI) based encryption offers additional security above and beyond SSL. PKI-based encryption is an optional feature and when enabled for an API environment (by default this feature is turned off), allows customers to use the public key to pass encrypted credentials and answers to MFA (multifactor authentication) questions during the account linking process. Envestnet | Yodlee then decrypts the credentials and answers to MFA questions using the private key.
When PKI is turned on, you can use the functionality as delineated in the following steps.
- Retrieve the public key by calling the GET /cobrand/publickey This key does not change or expire. After you receive it, store it in a secure place with other environment details.
- Once you have received the public key, you have to use it to encrypt the following values using the public key before you send the user-provided values to Yodlee:
- First level of authentication—The bank credential fields such as username, password, card number, sort code, and so on that are required to authenticate the user with the financial institution.
- Second level of authentication—Answers to the security questions (loginForm.formType is questionAndAnswer) that are returned during an MFA challenge.
Note: Do not encrypt OTP (formType: token), CAPTCHA (formType: image), and random keys.
- Send the encrypted values in the objects to the following requests:
- loginForm object to the POST /providerAccounts
- loginForm or MFA loginForm object to PUT /providerAccounts
Yodlee recommends that you encrypt credentials using the public key at the browser level as soon as the user provides the credentials.