No password, no problem! Retiring passwords and introducing magic links

Sonia Liapounova
Sonia Liapounova Expensify Success Coach - Admin, Expensify Team Posts: 210 Expensify Team
edited April 2023 in Product Updates

So much of our lives revolve around the digital world where every new site requires a new password. It can be tempting to reuse a password to make login easier, but doing that can lead to security breaches. Not to mention, coming up with new passwords can be a challenge of its own because they can be hard to remember and easy to misplace. Our goal is to make your life easier and to keep your data safe, so we’re going passwordless!

How will it work?

We are moving to a system of magic links and codes. When you sign in we will send a link to the email or phone number you are signing in with. If you click the link on the device you are signing into, then you will be automatically logged in. If you click the link on another device, say you’re logging in on the mobile app but open the link on your computer, then you will be shown a code which you can enter into the authentication field on the device you’re logging into. If you are logging in with a Secondary Login, the link will be sent to that address.

For any action that requires additional validation, such as adding a bank account or merging accounts, we will send a magic link to your primary login address. Even though you will already be signed in, we take this extra precaution to further ensure your data is safe.

If you have 2FA enabled on your account, you will receive the magic link and you will also be prompted to enter your 2FA code. Although 2FA is not required, we strongly urge everyone to enable this feature - you can think of 2FA the same as having a safe inside your home!  

If you are using SAML to log into your account, your experience will not change. You will be able to continue using SAML as normal. The only time you will need to use the magic link is if you take an action that requires additional validation.

Any questions, feel free to get in touch via chat or



  • NetraBhandari123
    NetraBhandari123 Expensify Customer Posts: 1

    Its very nice to login by magic links. Its also save the time so mostly I like its.

  • jond
    jond Expensify Customer Posts: 1 Expensify Newcomer

    Due to an email account error I was locked out of my expensify account and consequently out of my accounting data which is years and years old.

    Me: Not receiving magic key emails

    Concierge: Click the link in the magic key email

    Me: But see, I'm not receiving magic key emails

    Concierge: Click the link in the magic key email

    Up until today I was extremely happy with expensify and looked forward to payroll and other services that are unrolling in the future. Today that's changed as the panic of saying goodbye to my accounting data for the last six years was locked behind a catch 22.

    I didn't have the ability to talk to someone in support but I also couldn't escalate the importance of my inability to access my company on the expensify platform and that I may have needed to pursue legal remedies through my lawyer to access my data.

    At one point during my customer service experience, I mentioned that I was willing to pay a ransom for access.

    As safe as expensify claims their data is, it's not safe from never being able to access it again. I was good with two factor authentication, I was good with using an old fashioned password. I was not good with them changing to email magic keys. This is a regressive policy and this could have caused months of transition and legal costs to to sue for access to my company. I'm relieved that I now have access but this story could have been so much worse.

  • cam
    cam Expensify Customer Posts: 4 Expensify Newcomer

    Not a single response from Expensify. Says it all. Time to move on? It is incredible they have not taken their users' vociferous objections into consideration. I have just been using the online chat to discuss, and they just don't hear us. They said, "We appreciate feedback for every change we do! Unfortunately, this is something we can't disable for now."

    I will be trying the free trial of Concur Expense. If anyone has any other alternatives they recommend please let me know!

  • jlbrown
    jlbrown Expensify Customer Posts: 1 Expensify Newcomer

    I agree with all the above comments, except for Netra's. I'm not adverse to change, and would welcome a change to Passkeys to remove passwords. But email is not the answer.

    Unless there is an option to turn this off soon, we'll have to leave Expensify. We were one of their first customers, when they were getting started.

    I'm guessing there will be a lot of other people looking at the competition now. Let us all know here if you find someone good.

    Expensify, please reconsider, and do so quickly.

  • PBRO_D1
    PBRO_D1 Expensify Customer Posts: 1 Expensify Newcomer

    Can you please bring back passwords to login? This is disrupting my business running smoothly because my employees don't all have an easy way to access their email addresses. Please!

  • Bvirden
    Bvirden Expensify Customer Posts: 1 Expensify Newcomer

    We have been using Expensify for a good long while and it has been the most solid of our apps sadly lol.

    But this update has broken the entire expense process with NetSuite. The integration no longer works since it's being driven by a phone number and not the core company email. This needs to be fixed ASAP!

  • EEJ
    EEJ Expensify Customer Posts: 1 Expensify Newcomer

    As others have stated, a terrible idea. There are other, secure options that don't complicate the simple process of logging in like this does. Seems like Expensify has not done their research of the net effect this will have on their customers. Pretty lame corporate decision.

  • thinkmark
    thinkmark Expensify Customer Posts: 2 Expensify Newcomer

    Agree it should be optional. Magic links are time-consuming. 2FA is secure and more prevalent. Let us use one or the other.

  • Maxrmcd
    Maxrmcd Expensify Customer Posts: 1 Expensify Newcomer

    Im surprised Expensify has made this mistake and is only going Magic link - having to wait for the code is making your software very frustrating for everyone I know.

    I will have to STOP using Expensify if you can't allow for a password. I Use TouchID on my Mac which is instantaneous and the best way for me to login. Now with Magic Links I can't and your the only software I have issues with.

    Clearly no one likes the change you made and you will loss customers if you can't revert.


  • DFWSteve
    DFWSteve Expensify Customer Posts: 1 Expensify Newcomer

    It is irritating to have to open my email client to log into Expensify. I use a password manager + MFA / authenticator. Easy. Secure as hell. Simple. Going back to email is like regressing to a rotary dial landline phone. Who came up with the "magic number" idea anyway? They should be sent packing.

  • garycoukell
    garycoukell Expensify Customer Posts: 1 Expensify Newcomer

    I absolutely hate this change. If there is one single thing that will make me switch programs, it is this. Please for the love of all things sensible, switch back to passwords.

  • spine21
    spine21 Expensify Customer Posts: 1 Expensify Newcomer

    This change is nonsense as security is already provided with password and MFA, a measurement that the whole world now has accepted as THE standard for a secure login procedure. This needs to be changed to optional! Expensify - read those comments, listen to what the majority wants and act properly!

  • ChadV
    ChadV Expensify Customer Posts: 2 Expensify Newcomer

    One month in, magic links remain irritating. The developers have done a good job, and the emails have arrived quickly and reliably so far, but it's still added friction, and it bothers me every time.

  • Christina Dobryzynski
    Christina Dobryzynski Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 267 Expensify Team

    Thank you so much for taking the time to provide feedback about passwordless and how it impacts you. We’ve been intentionally slow to respond to this thread (although we’ve been watching it) because we want to be cautious about discussing security changes in a public forum.

    As with all product updates, we appreciate feedback because it helps us improve our product and magic codes for future iterations. I’ve outlined the mentioned obstacles and solutions below;

    1) Make it optional.

    Current Solution: it is an option to enable SAML at the domain level, which will revert to password sign-in.

    2) It adds extra time and steps when using multiple devices.

    Current Solution: We added infinite sessions, so you only need to sign in once per device. The intention is to minimise the need to use magic codes.

    3) Magic codes depend on internet or phone service, which sometimes isn’t available when travelling or working remotely.

    Current Solution: You can get the emailed magic codes if you have internet/wifi. If you’re travelling and don’t have SMS, you can add an email as a secondary login to your account, allowing you to sign in. 

    4) Emails can be compromised too.

    Current Solution: This is unfortunately true. Our focus is protecting your Expensify account. It’s essential to lock your devices and use multi-authentication measures wherever possible. 

    Please continue to provide more feedback about how this affects your workflow so we can consider these when improving magic codes.

  • drich
    drich Expensify Customer Posts: 1 Expensify Newcomer

    Can you make this optional? It is absolutely inefficient and unnecessary. I just had to wait for 7 emails because the system glitched which means I lost 15 minutes for nothing.

  • zonker
    zonker Expensify Customer Posts: 1 Expensify Newcomer

    So to get this straight, you're removing existing passwords password and moving to a mechanism which transmits the password in cleartext over the internet, and stores it in cleartext on the mail server, with no option to opt out? Wow.

    Ignoring the practical issues that several other people have raised, could someone from Expensify point out the section in NIST or ISO27K where it says this is an acceptable security practice?

    NIST / SOC3 / ISO27K certified organisations who use Expensify are unlikely to be able to accept this style of egregious and unnecessary security risk being imposed by Expensify.

    Please leave an option for password + 2fa.

  • cam
    cam Expensify Customer Posts: 4 Expensify Newcomer

    Hi Christina,

    Thank you for your post. Unfortunately there has still been no justification or explanation of the decision to make this egregious change, and the 'solutions' in your post for the most part do nothing to mitigate the frustration users experience, or the destruction of basic security that this has engendered.

    To respond to your numbered solutions:

    1) enabling SAML is not a viable solution for many organisations, and the implementation costs, including training and support, are an unnecessary burden to essentially bring back passwords!!

    2) adding infinite sessions once again is a downgrade in security. Instead of encouraging best practise logging out after each session you are encouraging people to get out of the habit of signing out of any session across all websites they visit.

    3) not sure I follow the logic of using email as a secondary login helps if you don't have access to the internet.

    4) now you suggest we lock devices and use MFA whenever possible after having just removed my highly secure MFA from Expensify??!! Locking my device makes no difference if someone has access to my email account.

    Christina, I have confidence that every single person in Expensify knows that this was a completely wrongheaded mistake, and the only course of action is to reverse this decision and reinstate passwords with MFA (e.g. one time codes, hardware tokens, etc.) while also adding PassKeys, which will future-proof secure login for Expensify users.

    We would all be grateful to know when this will happen, because we really need to be able to tell our staff some good news.