Passwords are dead. Long live magic links!
TL;DR - Now, you don't need your password to sign in. Instead, we send a "magic link" to your email/phone to confirm you are you, and you are let in with a click.
Our goal is to make Expensify a little better every day in every way, which is why we upgraded a very important flow: signing in.
It’s called a "passwordless" sign-in flow, which is widely recognized by the security industry as being a much better balance of security and convenience than the traditional password, for the following reasons:
The only way to remember a different password for each service is to make each password super simple, which is easy for an attacker to crack.
The only way to make a password hard to crack is to make it hard to memorize, which means you generally share the same password between many services. But then when one service is hacked, the attackers get access to all the others.
The only way to not share secure passwords between sites is to use a password manager to store them all, which makes them a lucrative target.
The only way to protect against mass leak of all your passwords is to change them frequently but changing your password often is actually insecure too.
No matter how you slice it, passwords are a bad solution to an important problem. It's been over a century since speakeasies stopped using passwords in the prohibition era 1920's, and it's long past due we stop using them to secure our most important financial data.
How the new Expensify sign-in process works
So, here's how Expensify's new sign-in process works:
Imagine you go to expensify.com, or install the Expensify app.
You enter your email address or phone number to sign in.
Note: If your company uses SAML or SSO for signin (either of which might prompt you for a password), those keep working – you are unaffected.
A "magic link" will be emailed/texted to you – just click that link (or manually enter the "magic code"), and voila, you are signed in, quickly and securely, like magic!
Note: If you've enabled two-factor authentication (2FA) using a "one time password" (OTP) authenticator (which is a mouthful, but it's actually very easy and we strongly recommend it), you'll be asked to enter your sign-in code after clicking the magic link.
Your app will stay signed in unless we need to re-confirm your access (eg, if you change your account’s login email or phone number), at which time a new magic link will be sent to reauthenticate you.
Access Expensify the faster, safer, and easier way
It's a much better, safer, easier, and more convenient flow, and is fully rolled out for all accounts that formerly used Expensify passwords. Other than just enjoying this feature, you shouldn't need to do anything special.
However, it's probably a good time to:
Update your mobile app to make sure it has the latest magic sign-in flow.
Review your Secondary Logins under Settings > Account > Account Details > Secondary Logins to ensure your logins listed are updated.
Secure your account through two-factor authentication (2FA)
Expensify makes sure your financial information stays safe
This is just one of many, many layered defenses Expensify has to protect your account data and financial flows. That now includes PCI level 1 certification, the highest level of security for businesses that manage credit card data.
If you have any questions at all about this new way to secure your account, just email us or start a chat with Concierge, and we'll help you out. Thanks!
-david
Founder and CEO of Expensify
Questions? Ask me on Twitter/X! @dbarrett
P.S: This is probably obvious, but just in case you are wondering why we care so much about security: Expensify isn't just a place you go to talk. We process billions of real dollars. Accordingly, securing your account means securing your Expensify Card, your next-day reimbursement flow, your invoiced income and bill payments. We are a single superapp that not only handles every financial flow for your business, but with our focus on Send/Request Money in New Expensify, also your personal payments. So, I hope you'll take the security of your account as seriously as we do.
FAQs about passwordless sign-in
-
Passwordless sign in lets you log in using a magic link or one-time code sent to your email or phone — no password required.
-
It’s faster, safer, and more convenient. Passwords are easy to forget, easy to reuse, and often stolen in breaches. Magic links remove those risks entirely.
-
Enter your email or phone number, tap the magic link we send you, and you’re in. If you use 2FA, you’ll still enter your authentication code after clicking the link.
-
Nothing changes. SAML and SSO continue to work exactly the same and aren’t affected by passwordless sign in.
-
Check spam, verify your email or phone number is correct, and confirm notifications aren’t blocked. If it still doesn’t arrive, reach out to concierge@expensify.com.
