No password, no problem! Retiring passwords and introducing magic links

Sonia Liapounova

So much of our lives revolve around the digital world where every new site requires a new password. It can be tempting to reuse a password to make login easier, but doing that can lead to security breaches. Not to mention, coming up with new passwords can be a challenge of its own because they can be hard to remember and easy to misplace. Our goal is to make your life easier and to keep your data safe, so we’re going passwordless!

How will it work?

We are moving to a system of magic links and codes. When you sign in we will send a link to the email or phone number you are signing in with. If you click the link on the device you are signing into, then you will be automatically logged in. If you click the link on another device, say you’re logging in on the mobile app but open the link on your computer, then you will be shown a code which you can enter into the authentication field on the device you’re logging into. If you are logging in with a Secondary Login, the link will be sent to that address.

For any action that requires additional validation, such as adding a bank account or merging accounts, we will send a magic link to your primary login address. Even though you will already be signed in, we take this extra precaution to further ensure your data is safe.

If you have 2FA enabled on your account, you will receive the magic link and you will also be prompted to enter your 2FA code. Although 2FA is not required, we strongly urge everyone to enable this feature - you can think of 2FA the same as having a safe inside your home!  

If you are using SAML to log into your account, your experience will not change. You will be able to continue using SAML as normal. The only time you will need to use the magic link is if you take an action that requires additional validation.

Any questions, feel free to get in touch via chat or concierge@expensify.com

ChadV

I use Expensify from my browser frequently. It requires me to re-login every few hours. It sounds irritating to deal with this extra step every time. Magic links seem like a reasonable default, but every service I know that offers them also allows passwords. Slack and Doordash come to mind. Can using magic links be optional instead of mandatory? Thank you for your time.

ChrisS123

Well that's a bad idea. Passwordless login is great as an option, terrible as the ONLY option. It causes major usability options on mobile devices, when working across multiple browsers and devices, etc. It also makes life considerably less convenient for those of use who use password managers to securely manage authentication. I am speaking as someone who ran an Identity Management system for 10M+ users for many years.

Strongly suggest you think this through again...

cam

I agree, as an ONLY option this is a terrible idea. We have users logging in with MFA using password managers, and it is fast, easy, and incredibly secure. And with Passkeys about to become mainstream why not improve security by adding that as a method of authentication?

Please reconsider this move.

sjbuk

A Step Backwards: The Problem with Magic Links

While I applaud your team's efforts in addressing the password fatigue that many users experience, I find the proposed solution of completely eliminating passwords in favor of magic links to be a misguided endeavor.

The core of any great product lies in giving people the power to make choices that best serve their needs. By insisting on magic links as the sole authentication method, you are not only limiting user options but also inadvertently increasing potential risks.

There are a few significant issues that arise from relying on magic links as the only authentication method. First, the dependency on email or phone-based communication exposes users to potential network or provider outages, which could render them unable to access their accounts during critical moments. Secondly, a user's email account could become compromised, negating the supposed security benefits of this approach.

Instead of enforcing a single solution, I suggest embracing the spirit of innovation that drives us forward. Empower users with the ability to choose between different authentication methods - including passwords and magic links. This way, you can provide a more robust and customizable security experience tailored to individual needs.

Let us not forget that innovation isn't about the blind pursuit of new ideas; it's about finding the right balance between simplicity, security, and user experience.

I trust that your team will give this matter the attention it deserves and reconsider the approach you've outlined. I am confident that, with thoughtful consideration, you can find a solution that better serves your users.

NetraBhandari123

Its very nice to login by magic links. Its also save the time so mostly I like its.

vykster

Please don’t do this. I have a doctor’s office who does this and I hate it so much. It creates so much noise and junk in my email or sms which I use to talk to actual humans and requires me opening multiple apps. Arg.

anthonyeden

This is a step backwards, as others have stated, and will likely mean we will move to another expense tracker. Please reconsider.

ewo

Terrible idea. We are moving away from magic links because it's slow and email is not fail-safe. It just doesn't work. If you do it for security they implement mandatory 2FA (email 2FA default for those who don't want to use an authenticator app).

turbo2ltr

First you say password reuse is bad. But then you implement a system where my Expensify account can only be protected by the password already in use for my phone or email address. Makes perfect sense (not).

MFA like authenticator app/hardware OTP (NOT SMS-based) combined with cookies so you don't HAVE to put in codes every time you log in is a much better and more secure solution without cluttering inboxes with unsecure emails.

maasj

Another vote from a long-time user: this change as the /only/ way to login is very problematic for some use cases. If you care about user feedback, please offer passwordless logins as *an* option and not the only mechanism!

wholefreetech

Please offer passwordless login as an option. Bouncing between apps to login is problematic, and the assumption email is secure enough for a magic link is incorrect.

jond

Due to an email account error I was locked out of my expensify account and consequently out of my accounting data which is years and years old.

Me: Not receiving magic key emails

Concierge: Click the link in the magic key email

Me: But see, I'm not receiving magic key emails

Concierge: Click the link in the magic key email

Up until today I was extremely happy with expensify and looked forward to payroll and other services that are unrolling in the future. Today that's changed as the panic of saying goodbye to my accounting data for the last six years was locked behind a catch 22.

I didn't have the ability to talk to someone in support but I also couldn't escalate the importance of my inability to access my company on the expensify platform and that I may have needed to pursue legal remedies through my lawyer to access my data.

At one point during my customer service experience, I mentioned that I was willing to pay a ransom for access.

As safe as expensify claims their data is, it's not safe from never being able to access it again. I was good with two factor authentication, I was good with using an old fashioned password. I was not good with them changing to email magic keys. This is a regressive policy and this could have caused months of transition and legal costs to to sue for access to my company. I'm relieved that I now have access but this story could have been so much worse.

DCat

Please make passwords an option for logging in. The magic link is prevents our organization from using our expensify accounts the way we need and has been a huge hiccup in our operations.

BibiM

This is a HORRIBLE IDEA!!! Please bring back passwords. This is causing significant issues within our firm, especially for EAs not co-pilots, who log into their Executive's accounts. Horrible, Horrible idea

VPAccounting

I agree this is absolutely HORRIBLE! I have to go into everyones account as them so I have all of their passwords because I need to delete things or create new reports because they have put something on a wrong report. This has created alot of extra work and emails going back and forth as to what I need them to do to their report! It should be an option if we want to move to this "MAGIC PW". PLEASE put the passwords back!!

cam

Not a single response from Expensify. Says it all. Time to move on? It is incredible they have not taken their users' vociferous objections into consideration. I have just been using the online chat to discuss, and they just don't hear us. They said, "We appreciate feedback for every change we do! Unfortunately, this is something we can't disable for now."

I will be trying the free trial of Concur Expense. If anyone has any other alternatives they recommend please let me know!

jlbrown

I agree with all the above comments, except for Netra's. I'm not adverse to change, and would welcome a change to Passkeys to remove passwords. But email is not the answer.

Unless there is an option to turn this off soon, we'll have to leave Expensify. We were one of their first customers, when they were getting started.

I'm guessing there will be a lot of other people looking at the competition now. Let us all know here if you find someone good.

Expensify, please reconsider, and do so quickly.

PBRO_D1

Can you please bring back passwords to login? This is disrupting my business running smoothly because my employees don't all have an easy way to access their email addresses. Please!

Bvirden

We have been using Expensify for a good long while and it has been the most solid of our apps sadly lol.

But this update has broken the entire expense process with NetSuite. The integration no longer works since it's being driven by a phone number and not the core company email. This needs to be fixed ASAP!

EEJ

As others have stated, a terrible idea. There are other, secure options that don't complicate the simple process of logging in like this does. Seems like Expensify has not done their research of the net effect this will have on their customers. Pretty lame corporate decision.

thinkmark

Agree it should be optional. Magic links are time-consuming. 2FA is secure and more prevalent. Let us use one or the other.

Maxrmcd

Im surprised Expensify has made this mistake and is only going Magic link - having to wait for the code is making your software very frustrating for everyone I know.

I will have to STOP using Expensify if you can't allow for a password. I Use TouchID on my Mac which is instantaneous and the best way for me to login. Now with Magic Links I can't and your the only software I have issues with.

Clearly no one likes the change you made and you will loss customers if you can't revert.

Max

DFWSteve

It is irritating to have to open my email client to log into Expensify. I use a password manager + MFA / authenticator. Easy. Secure as hell. Simple. Going back to email is like regressing to a rotary dial landline phone. Who came up with the "magic number" idea anyway? They should be sent packing.

garycoukell

I absolutely hate this change. If there is one single thing that will make me switch programs, it is this. Please for the love of all things sensible, switch back to passwords.

spine21

This change is nonsense as security is already provided with password and MFA, a measurement that the whole world now has accepted as THE standard for a secure login procedure. This needs to be changed to optional! Expensify - read those comments, listen to what the majority wants and act properly!

ChadV

One month in, magic links remain irritating. The developers have done a good job, and the emails have arrived quickly and reliably so far, but it's still added friction, and it bothers me every time.

Christina Dobryzynski

Thank you so much for taking the time to provide feedback about passwordless and how it impacts you. We’ve been intentionally slow to respond to this thread (although we’ve been watching it) because we want to be cautious about discussing security changes in a public forum.

As with all product updates, we appreciate feedback because it helps us improve our product and magic codes for future iterations. I’ve outlined the mentioned obstacles and solutions below;

1) Make it optional.

Current Solution: it is an option to enable SAML at the domain level, which will revert to password sign-in.

2) It adds extra time and steps when using multiple devices.

Current Solution: We added infinite sessions, so you only need to sign in once per device. The intention is to minimise the need to use magic codes.

3) Magic codes depend on internet or phone service, which sometimes isn’t available when travelling or working remotely.

Current Solution: You can get the emailed magic codes if you have internet/wifi. If you’re travelling and don’t have SMS, you can add an email as a secondary login to your account, allowing you to sign in. 

4) Emails can be compromised too.

Current Solution: This is unfortunately true. Our focus is protecting your Expensify account. It’s essential to lock your devices and use multi-authentication measures wherever possible. 

Please continue to provide more feedback about how this affects your workflow so we can consider these when improving magic codes.

drich

Can you make this optional? It is absolutely inefficient and unnecessary. I just had to wait for 7 emails because the system glitched which means I lost 15 minutes for nothing.

zonker

So to get this straight, you're removing existing passwords password and moving to a mechanism which transmits the password in cleartext over the internet, and stores it in cleartext on the mail server, with no option to opt out? Wow.

Ignoring the practical issues that several other people have raised, could someone from Expensify point out the section in NIST or ISO27K where it says this is an acceptable security practice?

NIST / SOC3 / ISO27K certified organisations who use Expensify are unlikely to be able to accept this style of egregious and unnecessary security risk being imposed by Expensify.

Please leave an option for password + 2fa.

cam

https://community.expensify.com/discussion/comment/22318#Comment_22318

Hi Christina,

Thank you for your post. Unfortunately there has still been no justification or explanation of the decision to make this egregious change, and the 'solutions' in your post for the most part do nothing to mitigate the frustration users experience, or the destruction of basic security that this has engendered.

To respond to your numbered solutions:

1) enabling SAML is not a viable solution for many organisations, and the implementation costs, including training and support, are an unnecessary burden to essentially bring back passwords!!

2) adding infinite sessions once again is a downgrade in security. Instead of encouraging best practise logging out after each session you are encouraging people to get out of the habit of signing out of any session across all websites they visit.

3) not sure I follow the logic of using email as a secondary login helps if you don't have access to the internet.

4) now you suggest we lock devices and use MFA whenever possible after having just removed my highly secure MFA from Expensify??!! Locking my device makes no difference if someone has access to my email account.

Christina, I have confidence that every single person in Expensify knows that this was a completely wrongheaded mistake, and the only course of action is to reverse this decision and reinstate passwords with MFA (e.g. one time codes, hardware tokens, etc.) while also adding PassKeys, which will future-proof secure login for Expensify users.

We would all be grateful to know when this will happen, because we really need to be able to tell our staff some good news.