Two Factor Authentication

Two-factor authentication (2FA) adds an extra layer of protection to your Expensify account. This guide covers setup, login expectations, recovery steps if you lose access, and admin override options.

How two-factor authentication works

When logging in:

  1. Enter your email and the magic code sent to your inbox.
  2. Enter a 6-digit code generated by your authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy).

Codes refresh every few seconds. If one expires, simply open the app for a new code.

How to enable two-factor authentication

  1. From the left-hand menu, select Account > Security.
  2. Under Security options, select Two-Factor Authentication.
  3. Follow the prompts to enable 2FA.
  4. Save your backup codes—these are essential for account recovery.
    • Select Download to save the codes securely.
    • Select Copy to paste them into a password manager or secure file.
  5. Open your authenticator app and connect it to Expensify by:
    • Scanning the QR code, or
    • Entering the setup code manually.
  6. Enter the 6-digit verification code and select Verify.

What to expect when logging in

After setup, login requires both:

  1. Your magic code (sent via email).
  2. The 6-digit verification code from your authenticator app.

Recovery options

Backup recovery codes work like one-time passwords. They are your fastest recovery method if you lose access to your authenticator app.

If you still have recovery codes

  1. Log in with your email and magic code.
  2. Enter one of your recovery codes instead of a 6-digit app code.
  3. Disable 2FA, then re-enable it on your new device.

Tip: Store unused recovery codes in a secure, offline location. Each code can only be used once.

If you lost your device and have no recovery codes

  • Individual account: You’ll need to create a new Expensify account with a different email. Concierge can assist with transferring access to any shared Workspaces.
  • Domain account: A Domain Admin can reset your 2FA. Once reset, you’ll log in normally and set up 2FA again.

Admin recovery and overrides

If a Domain Admin is available

  • Domain Admins can reset a member’s 2FA by going to:
    Settings > Domains > [Domain Name] > Members > Security Settings
  • Select the member, then disable their 2FA.

If the enforcing Domain Admin has left

  1. Verify domain ownership by proving control of the domain’s email DNS or MX records.
  2. Assign a new Domain Admin in Settings > Domains > [Domain Name] > Domain Settings.
  3. Once the new admin is assigned, follow the steps above to reset 2FA for affected members.

Best practices

  • Save your recovery codes as soon as you set up 2FA.
  • Consider adding 2FA on multiple devices (e.g., phone and tablet) during setup for backup.
  • Keep your device’s clock set to the correct time—codes depend on accurate timing.

FAQ

Why should I use 2FA?

It prevents unauthorized access, even if someone has your login email or password.

What if I lose my phone or uninstall the app?

Use a recovery code to log in, then disable and re-enable 2FA on your new device.

Can I use 2FA on more than one device?

Yes. Scan the setup QR code with multiple devices when enabling 2FA.

What if my verification code isn’t working?

Check your device’s time settings. Authenticator apps rely on accurate system clocks.

Didn't find what you were looking for?

Concierge is here to answer all your questions.
Recommend a change to this page