[Expensify] Passwords are dead, long live magic links!
Our goal is to make Expensify a little better every day in every way, and today's the day that we upgrade a very important flow: signing in.
tl;dr - Starting today, you don't need your password to sign in. Instead, we send a "magic link" to your email/phone to confirm you are you, and you are let in with a click. This is a phased roll-out so some of you will see this change sooner than others.
This is called a "passwordless" signin flow, which is widely recognized by the security industry as being a much better balance of security and convenience than the traditional password, for the following reasons:
- The only way to remember a different password for each service is to make each password super simple, which is easy for an attacker to crack.
- The only way to make a password hard to crack is to make it hard to memorize, which means you generally share the same password between many services. But then when one service is hacked, the attackers get access to all the others.
- The only way to not share secure passwords between sites is to use a password manager to store them all, which makes them a lucrative target.
- The only way to protect against mass leak of all your passwords is to change them frequently but changing your password often is actually insecure too.
No matter how you slice it, passwords are a bad solution to an important problem. It's been over a century since speakeasies stopped using passwords in the prohibition era 1920's, it's long past due we stop using them to secure our most important financial data. So here's how Expensify's new signin process works:
- Imagine you go to expensify.com, or install the Expensify app.
- You enter your email address or phone number to sign in.
- Note: If your company uses SAML or SSO for signin (either of which might prompt you for a password), those keep working – you are unaffected.
- A "magic link" will be emailed/texted to you – just click that link (or manually enter the "magic code"), and voila, you are signed in, quickly and securely, like magic!
- Note: If you've enabled two-factor authentication (2FA) using a "one time password" (OTP) authenticator – which is a mouthful, but it's actually very easy and we strongly recommend it – you'll be asked to enter your signin code after clicking the magic link.
- Your app will stay signed in unless we need to re-confirm your access (eg, if you change your account’s login email or phone number), at which time a new magic link will be sent to reauthenticate you.
It's a much better, safer, easier, and more convenient flow, and is fully rolled out for all accounts that formerly used Expensify passwords. Other than just enjoying this new feature, you shouldn't need to do anything special. However, it's probably a good time to:
- Update your mobile app, to make sure it has the latest magic signin flow.
- Review your Secondary Logins under Settings > Account > Account Details > Secondary Logins to ensure your logins listed are updated.
- Secure your account through two-factor authentication (2FA)
This is just one of many, many layered defenses Expensify has to protect your account data and financial flows. That now includes PCI level 1 certification, the highest level of security for businesses that manage credit card data. If you have any questions at all about this new way to secure your account, just respond to this email and we'll help you out. Thanks!
Founder and CEO of Expensify
Questions? Ask me on Twitter! @dbarrett
P.S: This is probably obvious, but just in case you are wondering why we care so much about security: Expensify isn't just a place you go to talk. We process billions of real dollars. Accordingly, securing your account means securing your Expensify Card, your next day reimbursement flow, your invoiced income and bill payments. We are a single superapp that not only handles every financial flow for your business, but with our focus on Send/Request Money in New Expensify, also your personal payments. So I hope you'll take the security of your account as seriously as we do.
This post says "Your app will stay signed in unless we need to re-confirm your access", however, ion reality the app logs out every time I use it. I hope there is a fix for this coming soon.