Does Expensify have any plans to enable Two-factor authentication?

jbaxter

Security is always a focus for us, especially anything to do with payments.
Has Expensify considered adding this as a feature?

Conor Pendergrast

Hey Jodie, thanks for the added context! This isn't something that we're explicitly looking at for now.

On the assumption that your group is typically managing reimbursement through Expensify (on behalf of your clients), I'd suggest that it's worth the first step of looking at implementing an SSO tool internally. That'll control for the the most important risk, and make sure that your own accounts are not compromised here (and can't be used to reimbursed reports improperly)

Conor Pendergrast

Hey Jodie, happy Monday to you! Does Lumina use a single sign-on product like OneLogin, Okta or Google SAML?

That's how our more security-minded and enterprise/ public customers enforce additional layers of security requirements across multiple products (including Expensify), including multi-factor authentication

jbaxter

Hi @Conor Pendergrast Thanks for the response. The company I work for is an outsourced accounting group. As our clients are external, enabling SSO is out of our control.

mdtomerlin

We were recently hacked by a group in China. We must close every door possible. There is nothing comparable to the security and the ease of use provided by multi-factor authentication. If Expensify chooses not to offer this security, we will have to look other places for this service.

Sheena Trepanier

Hi @mdtomerlin, thanks for joining the Community and taking the time to share on this thread.

I'm happy to say that we're currently working on adding native multi-factor authentication, and once it's released we'll be sure to update the Product Updates category here in the Community!

The best alternative in the meantime, is to make use of any SAML integration and their own native multi-factor authentication. By making SAML required for login for all users on your domain, you can easily restrict access to users controlled by your internal IT team.

Cheers!

schiweck

Any update on the two-factor authentication front? I'm actually very surprised this isn't a feature in Expensify yet. I would love to if there are any updates on when users can expect this feature?

Sophie Pinto-Raetz

No update as of yet, @schiweck as I'm sure you can also understand that it's a complex piece of engineering that requires absolute attention to detail...but you'll know as soon as we've posted about it in Product Updates, like Sheena mentioned!

RonR

New Expensify user here. Have my Fidelity account set up for 2FA, so Expensify won't connect. Seems like a stretch to ask your customers to reduce their security for all devices, logins, and software just to do an Expensify direct deposit. Is there an alternative within Expensify?

Sophie Pinto-Raetz

Hi @RonR, not at this stage! We'll keep this thread posted though 😊

expFymb

Unless I'm missing something about Expensify's security protocols, I do not understand why 2FA (Authy, Yubikey, FIDO, UTF, OTP, etc) has not been implemented for this site. Maybe I missed this. Is there a process to enable 2FA for Expenisfy Customers?

Could be wrong, but I'm sure most Expensify customers would feel better knowing that another layer of security prevents someone from obtaining any sensitive financial information.

Jason Li

Hi @expFymb - welcome to the Community, and thanks for sharing your feedback!

Our team are currently in the process of implementing this feature, and we'll make an announcement on the Community when this is live! I can't share an ETA, but it looks like it should be happening soon. Thanks for your patience here!