Enable two factor authentication

Add an extra layer of security to protect your financial data by enabling two-factor authentication (2FA). This requires you to enter a code generated by your preferred authenticator app (such as Google Authenticator or Microsoft Authenticator) when you log in.

Expensify’s 2FA is implemented via a Time-based One-Time Password (TOTP) algorithm. This means that each time you log in, you must use an authenticator app to generate a unique 6-digit code, adding a second “factor” to your login.

You can use any authenticator app, but here are a few we recommend:

Ensure you have an authenticator app installed before proceeding.

Enable and Set Up Two-Factor Authentication

  1. Hover over Settings, then click Account.
  2. Under the Account Details tab, scroll to the Two-Factor Authentication section and enable the toggle.
  3. Save a copy of your backup codes:
    • Click Download to save a copy to your computer.
    • Click Copy to store the codes in a secure location.

This step is critical—If you lose access to your authenticator app and do not have your recovery codes, you will lose access to your account.

  1. Click Continue.
  2. Open your authenticator app and either:
    • Scan the QR code displayed on your screen.
    • Enter the 6-digit code from your authenticator app into Expensify and click Verify.

Once set up, when logging into Expensify, you will:

  • Receive a Magic Code email to initiate login.
  • Be prompted to enter a 6-digit code from your authenticator app.

New codes regenerate every few seconds. If the code expires, generate a new one.

Lost Recovery Codes or Authenticator App

If you lose your mobile device and recovery codes, a Domain Admin can reset your 2FA only if:

  • You use a company email or a domain you own.
  • The Domain Admin also has 2FA enabled.

Reset 2FA as a Domain Admin

  1. Navigate to Settings > Domains > Domain Members.
  2. Click Edit Settings for the affected email address.
  3. Click Reset to disable 2FA.
  4. The user can now log in and reconfigure 2FA.

If your domain does not have 2FA enabled:

  1. Go to Settings > Domains > Domain Members.
  2. Enable Two-Factor Authentication.
  3. Follow the previous steps to reset 2FA for the user.

If you use a public email (e.g., Gmail, Yahoo, Hotmail), Expensify cannot disable 2FA. If recovery codes are lost, you may need to create a new account with a different email.

If no Domain Admin is available, follow this guide to verify your domain.

General Troubleshooting

  • Ensure your phone’s time is set to automatic update. A manual time difference can cause issues.
  • If you are still logged in on another device:
    1. Hover over Settings, then click Account.
    2. Under the Account Details tab, scroll to Two-Factor Authentication and disable the toggle.
    3. Try logging in again, then re-enable 2FA.

Following these steps ensures your account remains secure while preventing access issues.

Didn't find what you were looking for?

Concierge is here to answer all your questions.