Jacob Kaplan-Moss

A bit of smart security design from Tiller

I wrote this post in 2018, more than 6 years ago. It may be very out of date, partially or totally incorrect. I may even no longer agree with this, or might approach things differently if I wrote this post today. I rarely edit posts after writing them, but if I have there'll be a note at the bottom about what I changed and why. If something in this post is actively harmful or dangerous please get in touch and I'll fix it.

I’m trying out Tiller (a service that pulls financial transaction data into Google Sheets), and there’s a nifty bit of security design.

  • Instead of its own authentication, you login via Google. This means Tiller doesn’t need to do any account management, and my account’s as secure as my Google account.
  • Like all other services in this sector (Mint, Personal Capital, YNAB, etc), the actual data sync happens via Yodlee. Yodlee is… not great, but it’s at least not worse than what everyone else is doing. And, Tiller does the best they can by using Yodlee’s own credential flow, which means your bank login never hits Tiller’s servers.
  • When you set up a sheet, instead of requesting access to Google Sheets, Tiller creates the sheet using a bot account, then shares it with you. This means Tiller only has access to the specific spreadsheets it manages, not your entire drive.

There’s always a bit of inherent risk in services like this, and I’m pleased to see that someone at Tiller clearly thought very carefully about the risk model, and designed things to be about as safe as it could be.