Security is always a focus for us, especially anything to do with payments.
Has Expensify considered adding this as a feature?
Hey Jodie, thanks for the added context! This isn't something that we're explicitly looking at for now.
On the assumption that your group is typically managing reimbursement through Expensify (on behalf of your clients), I'd suggest that it's worth the first step of looking at implementing an SSO tool internally. That'll control for the the most important risk, and make sure that your own accounts are not compromised here (and can't be used to reimbursed reports improperly)
Hey Jodie, happy Monday to you! Does Lumina use a single sign-on product like OneLogin, Okta or Google SAML?
That's how our more security-minded and enterprise/ public customers enforce additional layers of security requirements across multiple products (including Expensify), including multi-factor authentication
Hi @Conor Pendergrast Thanks for the response. The company I work for is an outsourced accounting group. As our clients are external, enabling SSO is out of our control.
We were recently hacked by a group in China. We must close every door possible. There is nothing comparable to the security and the ease of use provided by multi-factor authentication. If Expensify chooses not to offer this security, we will have to look other places for this service.
Hi @mdtomerlin, thanks for joining the Community and taking the time to share on this thread.
I'm happy to say that we're currently working on adding native multi-factor authentication, and once it's released we'll be sure to update the Product Updates category here in the Community!
The best alternative in the meantime, is to make use of any SAML integration and their own native multi-factor authentication. By making SAML required for login for all users on your domain, you can easily restrict access to users controlled by your internal IT team.
Any update on the two-factor authentication front? I'm actually very surprised this isn't a feature in Expensify yet. I would love to if there are any updates on when users can expect this feature?
No update as of yet, @schiweck as I'm sure you can also understand that it's a complex piece of engineering that requires absolute attention to detail...but you'll know as soon as we've posted about it in Product Updates, like Sheena mentioned!
New Expensify user here. Have my Fidelity account set up for 2FA, so Expensify won't connect. Seems like a stretch to ask your customers to reduce their security for all devices, logins, and software just to do an Expensify direct deposit. Is there an alternative within Expensify?
Hi @RonR, not at this stage! We'll keep this thread posted though 😊
Unless I'm missing something about Expensify's security protocols, I do not understand why 2FA (Authy, Yubikey, FIDO, UTF, OTP, etc) has not been implemented for this site. Maybe I missed this. Is there a process to enable 2FA for Expenisfy Customers?
Could be wrong, but I'm sure most Expensify customers would feel better knowing that another layer of security prevents someone from obtaining any sensitive financial information.
Hi @expFymb - welcome to the Community, and thanks for sharing your feedback!
Our team are currently in the process of implementing this feature, and we'll make an announcement on the Community when this is live! I can't share an ETA, but it looks like it should be happening soon. Thanks for your patience here!
@expFymb, @jbaxter, @mdtomerlin, @schiweck, @RonR
We are close to having this feature in production but we're currently in a beta phase and looking for more companies interested in joining our beta!
If you are interested in joining the beta please reach out to us by messaging [email protected] or @ mention my username here and I'll get in touch.
Please note: You will need a verified domain to be a part of the beta. If you don't have a verified domain but are willing to verify it, you can still participate.
Hi everyone! Further to @Sheena Trepanier's update above, this is just to let you know that we’ve rolled out Two Factor Authentication for domains this week! This enables Domain Admins of verified Domains to set 2FA to required for all users on their Domain. They’ll also be able to reset their user’s 2FA settings if a user misplaced their recovery code and authenticator app.
Please feel free to reach out to Concierge or send an email to [email protected] with any questions!