Two Factor Authentication

Setting up two-factor authentication (2FA) in Expensify Classic adds an extra layer of protection to your account. This guide explains how to enable 2FA and what to expect if you’re ever locked out.

Who can enable Two-Factor Authentication in Expensify Classic

Anyone can enable Two-Factor Authentication on their own account. Domain Admins can require all members on a domain to enable Two-Factor Authentication on their accounts.

How to enable Two-Factor Authentication on your account in Expensify Classic

  1. Ensure an authenticator app is installed on your device.
  2. Go to Settings > Account > Profile.
  3. Enable Two-factor authentication.
  4. Save a copy of your backup codes:
    • Click Download to save them to your computer.
    • Click Copy to store them in a secure location.
  5. Click Continue.
  6. Open your authenticator app and either:
    • Scan the QR code displayed on your screen.
    • Enter the 6-digit code from your authenticator app into Expensify and then click Verify.

Important: If you lose access to your authenticator app and didn’t save your recovery codes, you may permanently lose access to your account. Consider adding 2FA on multiple devices (e.g., phone and tablet) for backup.

How to enable Two-Factor Authentication on a domain

  1. Go to Settings > Domains > [domain name] > Domain Members.
  2. Enable Two-Factor Authentication.

Note: 2FA can’t be enabled for domains that use SAML.

For Domain Admins: Reset Two-Factor Authentication for a member

If a member loses access to their authenticator app or recovery codes, you can reset their 2FA if:

  • They use a company email on your verified domain, and
  • You (the Domain Admin) also have 2FA enabled

To reset a member’s 2FA settings:

  1. Go to Settings > Domains > Domain Members.
  2. Click Edit Settings for the affected email address.
  3. Click Reset to disable 2FA.
  4. The member can now log in and set up 2FA again.

If your domain doesn’t have 2FA enabled yet:

  1. Go to Settings > Domains > Domain Members.
  2. Enable Two-Factor Authentication.
  3. Then follow the steps above to reset 2FA for the member.

What to do if you’re locked out because of Two-Factor Authentication

If you can’t access your authenticator app and don’t have your recovery codes, contact your Domain Admin to reset your 2FA.

If no Domain Admin is available and you’re using a company email, you can follow this guide to claim the domain and reset your 2FA settings yourself.

For more help regaining access, see Troubleshoot login issues.

FAQ

How does 2FA change how I log into my account?

Setting up two-factor authentication (2FA) adds an extra layer of security to protect your Expensify Account. When you log in, you must enter a code generated by your preferred authenticator app (such as Google Authenticator or Microsoft Authenticator).

How does 2FA work?

Expensify’s 2FA is implemented via a Time-based One-Time Password (TOTP) algorithm. Each time you log in, you must use an authenticator app to generate a unique 6-digit code, adding a second “factor” to your login.

What can I do if I can’t access my authenticator app?

When you enable 2FA, you are prompted to either copy or download backup codes which you can use in lieu of the 6-digit authenticator code. If you downloaded the codes they will be saved with the file name two-factor-auth-codes.

What authenticator apps does Expensify recommend?

You can use any authenticator app, but here are a few we recommend:

What if my verification code isn’t working?

Make sure your device’s clock is set to update automatically. Authenticator apps rely on your system clock being accurate, and even a small time difference can cause verification codes to fail.

Didn't find what you were looking for?

Concierge is here to answer all your questions.
Recommend a change to this page