FAQ: Troubleshooting two-factor authentication issues

Christina Dobryzynski
Christina Dobryzynski Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 267 Expensify Team
edited December 2020 in Product Updates

What is an Authenticator App? How do I use one?

Expensify's Two Factor Authentication is implemented via a Time-based One Time Password (TOTP) algorithm. This requires the use of an Authenticator app which when provided your secret key will generate new codes for you which will need to be entered every time you log in.

There are many authenticator apps out there but the ones Expensify recommends are:

My recovery codes and authenticator app are gone - what do I do?

Is your Expensify account linked to a public domain email (like gmail, hotmail, etc.)? 

Unfortunately, if the authenticator app and recovery codes are gone, there isn’t anything we can do to get you signed in to your account. 

The best option here would be to search for the downloaded recovery codes on your computer or phone.

If you can’t locate them, you can create a new Expensify account with a different email address. 

Is your Expensify account linked to a private domain (i.e., your work email address)? 

Yes, reach out to a domain admin and ask them to sign into their Expensify account on the web app at www.expensify.com > head to Settings > Domains > Domain Members and click Edit Settings for your email.

They can click the Reset button to reset two-factor authentication (2FA) on your account. This will allow you to gain access to your account on the web or mobile app and reconfigure 2FA again.  

If no domain admin exists yet, follow the steps in this guide to verify the domain.

With both of these solutions, once 2FA is disabled, you’ll want to reconfigure 2FA following the steps in this support article.


I’m getting an Invalid Two Factor Authentication code. Please re-enter the code from your authenticator app error. What can I do to resolve this?

This error usually happens when the clock on the mobile app has a slightly different time from the authenticator app. 

Make sure your phone’s time is set to the automatic / network time in the phone settings.

Then try to sign in to your account on the web app at www.expensify.com. Once you’re in, you can enable 2FA following the steps in this support article

I can’t sign into Expensify on my mobile app. It seems to be an issue with 2FA.

If you have your recovery codes or access to the authenticator app on your mobile device, try to sign in to your Expensify account on a web browser at www.expensify.com

Then disable 2FA at Settings > Accounts > Account Details > Two Factor Authentication. This should allow you to sign in to your mobile app. 

Once you’re signed in on the mobile app, you can enable 2FA following the steps in this support article

If you’re still having trouble, please reach out to concierge@expensify.com.


I can’t sign into Expensify on my web app. It seems to be an issue with 2FA.

Check to see if you are signed into Expensify on your mobile app. If you are, head to Settings on the mobile app and disable 2FA. 

Then try to sign in to your account on the web app at www.expensify.com. Once you’re in, you can enable 2FA following the steps in this support article.

If you’re still having trouble, please reach out to concierge@expensify.com.


What does the 2FA toggle on the Domain Members page do?

By enabling (requiring) 2FA on the Domain Members page, you are requiring that all domain members set up 2FA when they sign in using email address/ phone number and password (not when they sign in through SAML, Google Apps, or Apple).

If they have not yet set up 2FA, they will be prompted to do so before they can use their Expensify account.


What does the 2FA in a domain members settings do?

The 2FA toggle at Settings > Domains > [Domain Name] > Domain Members > Edit Settings allows you to disable 2FA for a specific domain member while keeping the permissions enabled for all other members of your domain. 

By enabling (requiring) or disabling (making not required) 2FA by clicking Edit Settings for an individual domain member, you are overriding the domain’s settings for that individual user. This can be used to temporarily or permanently not require a specific domain member to use 2FA (while other domain members are required to use 2FA).


What does the Reset button do?

The Reset button prompts an employee to setup 2FA on their Expensify account.

Domain Admins, use the Reset button for employees who can't sign into their Expensify account and have lost their authenticator app or recovery codes.

The Reset button is at Settings > Domains > [Domain Name] > Domain Members > Edit Settings.

Related Articles:

Tagged:

Comments