Multi-factor authentication - Local or Web based

I"m a newbie so please bear with my question as I’m not technically savy and I didn’t know where to ask this question.

When setting up Multi-factor authentication for Direct Connect is the storage of associated specific data files such as personal devices (like
phone or email addresses) on the local machine or is it stored on a
website server somewhere as Intuit does?

First, I am not aware that KMM can use multi-factor authentication, only a simple name/password.

Second, KMM stores ALL its information locally. There is no KMM server, and it does not “phone home” for any reason. (Some KDE applications use some form of telemetry to help understand its use, but KMM does not. Even in those cases, I don’t think (but am not completely certain, as I have not looked at the code) it sends and personally identifiable information.)

Multifactor Authentication can work without KMyMoney knowing about it. When KMyMoney sends the login information to your bank as part of the authentication, then the bank pushes a notification with a challenge (2FA request) e.g. to your mobile device using information provided when you registered the device (e.g. device IDs, phone numbers, …). Those pieces of information are kept on the servers of your institution. The mobile device performs a calculation on the challenge with device unique parameters and sends the result back to the bank. The bank performs the same calculation and when the outcome is positive, the initial authentication request is acknowledged to KMyMoney.

Other mechanisms send the 2FA request back to KMyMoney which presents the contained information (e.g. a QR-Code) as challenge on the screen. The QR code scanned with your mobile device (second factor) is then processed by the bank’s application on your device and the challenge together with unique crypto material on your device generates e.g. a 6 digit number which you enter into the dialog showing the QR-Code. KMyMoney sends it back to the institution. Since the bank can also generate the 6 digit number (because you have registered the device) it can compare your answer and make sure you have access to the device (aka own the device). Of course, the app on the mobile is password protected.

And of course there are a few more mechanisms. It all depends on what your bank implemented. Hope that provides some background information and does not confuse more than necessary.

I was thinking specifically about the OFX Importer Plugin on OFX Importer Plugin (
For “Direct Connect” rather than “Web Connect” I don’t see a mention of setting up a way to include Multi-factor authentication.

I’ve set up Direct Connect with my bank using MINT by Intuit (which I’ve since stopped using.) During the set up process a dialog appeared that said “Security info required…For your security, ***Bank requires additional verification info. Please select an option to receive the passcode: Phone call to ***, Text passcode to ***.”
Once the set up was complete I did not have to receive a passcode every time I connected through MINT.

So re-formatting my question, is it possible to use the OFX Importer Plugin to download transactions via Direct Connect without having to receive a passcode from the bank each time one attempt to download transactions? And if not, and the bank requires Multi-factor authentication each time would the OFX Importer Direct Connect work.

Sorry for misunderstanding your original question. Thought it was of a more general nature.

Sure, the OFX importer can be enhanced to support that. It’s just that I don’t know how this is implemented based on the OFX specifications and also don’t have access to an OFX account. Maybe, someone else has an idea. I can certainly support devs with knowledge about KMyMoney and the OFX plugin if needed.

I cannot judge if the current implementation will work together with the 2FA method used.

What happens when you use a current version of KMM to try to do an OFX download from this bank? Does KMM give any error message? If so, is the bank’s response in a temporary file in /tmp? I think the next step would be to capture what the bank sends back as the first response to the OFX request.

Please check Settings/Configure KMyMoney/General/Support for the location and generation of OFX trace file(s). It does not need to be /tmp.