From 3e6af765a9aedcb7e7de218d8d04d02a38583f53 Mon Sep 17 00:00:00 2001 From: Matt Moore <46995600+muttmuure@users.noreply.github.com> Date: Mon, 15 Sep 2025 13:57:39 +0200 Subject: [PATCH 1/2] Update Two-Factor-Authentication.md From 78d3fb77e260033092b0a8eb5483e68ee713557f Mon Sep 17 00:00:00 2001 From: Matt Moore <46995600+muttmuure@users.noreply.github.com> Date: Mon, 15 Sep 2025 16:12:10 +0200 Subject: [PATCH 2/2] Update Two-Factor-Authentication.md --- .../settings/Two-Factor-Authentication.md | 93 +++++++++++-------- 1 file changed, 56 insertions(+), 37 deletions(-) diff --git a/docs/articles/new-expensify/settings/Two-Factor-Authentication.md b/docs/articles/new-expensify/settings/Two-Factor-Authentication.md index 312c566ba99d..bdb534a8bab3 100644 --- a/docs/articles/new-expensify/settings/Two-Factor-Authentication.md +++ b/docs/articles/new-expensify/settings/Two-Factor-Authentication.md @@ -1,72 +1,91 @@ --- title: Two-Factor Authentication (2FA) -description: Add an extra layer of security for your Expensify login -keywords: [two-factor authentication, 2FA, security settings, authenticator app, recovery codes, login security] +description: Learn how to set up, use, and recover your Expensify account with two-factor authentication (2FA), including lost device and admin recovery options. +keywords: [Expensify Classic, two-factor authentication, 2FA, login security, authenticator app, recovery codes, locked out, lost phone, account recovery, Domain Admin reset] --- -Enabling two-factor authentication (2FA) adds an extra layer of security to help protect your financial data. This adds a secondary login step using a code generated by an authenticator app like Google Authenticator or Microsoft Authenticator. +Two-factor authentication (2FA) adds an extra layer of protection to your Expensify account. This guide covers setup, login expectations, recovery steps if you lose access, and admin override options. --- -# How Two-Factor Authentication Works +# How two-factor authentication works -After entering your login email and magic code, Expensify will prompt you for a 6-digit verification code generated by your authenticator app, such as Google Authenticator, Microsoft Authenticator, or Authy. Each code is time-based and refreshes every few seconds, ensuring that no code is ever reused. If the code expires, simply open the app to get a new one. +When logging in: +1. Enter your email and the magic code sent to your inbox. +2. Enter a 6-digit code generated by your authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy). + +Codes refresh every few seconds. If one expires, simply open the app for a new code. --- -# How to Enable Two-Factor Authentication in Expensify +# How to enable two-factor authentication -1. In the (on the left on web, and at the bottom on mobile), tap **Account > Security**. -2. Under **Security options**, tap **Two-Factor Authentication**. +1. From the left-hand menu, select **Account > Security**. +2. Under **Security options**, select **Two-Factor Authentication**. 3. Follow the prompts to enable 2FA. -4. **Save your backup codes**—these are essential for account recovery. - - Tap **Download** to save the codes to your device. - - Tap **Copy** to paste the codes into a secure location. -5. Tap **Next**. -6. Open your authenticator app and connect it to Expensify by: - - Scanning the QR code, or - - Entering the setup code manually. -7. Enter the 6-digit verification code and tap **Verify**. +4. **Save your backup codes**—these are essential for account recovery. + - Select **Download** to save the codes securely. + - Select **Copy** to paste them into a password manager or secure file. +5. Open your authenticator app and connect it to Expensify by: + - Scanning the QR code, or + - Entering the setup code manually. +6. Enter the 6-digit verification code and select **Verify**. --- -# What to Expect When Logging In +# What to expect when logging in -Once 2FA is enabled, logging in will require two steps: -1. Enter the **magic code** sent to your email. -2. Open your authenticator app and enter the **6-digit verification code**. The code refreshes every few seconds, so use the most recent one available. +After setup, login requires both: +1. Your magic code (sent via email). +2. The 6-digit verification code from your authenticator app. --- -# Recovery Codes +# Recovery options -Backup recovery codes allow you to log in to Expensify if you lose access to your authenticator app. +Backup recovery codes work like one-time passwords. They are your fastest recovery method if you lose access to your authenticator app. -Each recovery code works like a one-time password. You’ll receive several unique codes when setting up 2FA—make sure to: +## If you still have recovery codes +1. Log in with your email and magic code. +2. Enter one of your recovery codes instead of a 6-digit app code. +3. Disable 2FA, then re-enable it on your new device. -- **Store them in a safe, offline location** (such as a secure document or password manager). -- **Never share your codes** with anyone. -- **Use each code only once**—after it’s used, it becomes inactive. +**Tip:** Store unused recovery codes in a secure, offline location. Each code can only be used once. -If you lose your authenticator app and don’t have access to your recovery codes, you’ll need to contact Expensify support to verify your identity and regain access to your account. +## If you lost your device and have no recovery codes +- **Individual account**: You’ll need to create a new Expensify account with a different email. Concierge can assist with transferring access to any shared Workspaces. +- **Domain account**: A **Domain Admin** can reset your 2FA. Once reset, you’ll log in normally and set up 2FA again. ---- +# Admin recovery and overrides -# FAQ +## If a Domain Admin is available +- Domain Admins can reset a member’s 2FA by going to: + **Settings > Domains > [Domain Name] > Members > Security Settings** +- Select the member, then disable their 2FA. -## Why should I use 2FA? +## If the enforcing Domain Admin has left +1. Verify domain ownership by proving control of the domain’s email DNS or MX records. +2. Assign a new Domain Admin in **Settings > Domains > [Domain Name] > Domain Settings**. +3. Once the new admin is assigned, follow the steps above to reset 2FA for affected members. -2FA significantly reduces the chance of unauthorized account access, even if someone obtains your login email or password. It’s a simple but powerful tool for protecting sensitive financial data. +# Best practices -## What happens if I lose my phone or uninstall the authenticator app? +- Save your recovery codes as soon as you set up 2FA. +- Consider adding 2FA on multiple devices (e.g., phone and tablet) during setup for backup. +- Keep your device’s clock set to the correct time—codes depend on accurate timing. -Log in using one of your backup recovery codes. Then, disable 2FA and set it up again with your new device or app. +--- -## Can I use 2FA on more than one device? +# FAQ -Yes. When setting up 2FA, you can scan the QR code with multiple devices (like your phone and tablet) to generate codes from both. +## Why should I use 2FA? +It prevents unauthorized access, even if someone has your login email or password. -## What if my verification code isn’t working? +## What if I lose my phone or uninstall the app? +Use a recovery code to log in, then disable and re-enable 2FA on your new device. -Make sure your device’s clock is set to the correct time. Authenticator apps rely on time-based tokens, so an inaccurate device clock can cause errors. +## Can I use 2FA on more than one device? +Yes. Scan the setup QR code with multiple devices when enabling 2FA. +## What if my verification code isn’t working? +Check your device’s time settings. Authenticator apps rely on accurate system clocks.