Expensify · stephanieelliott · Jan 19, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 11, 2026
@@ -1,35 +1,39 @@
 ---
 title: Two-Factor Authentication (2FA)
 description: Learn how to set up, use, and recover your Expensify account with two-factor authentication (2FA), including lost device and admin recovery options.
-keywords: [Expensify Classic, two-factor authentication, 2FA, login security, authenticator app, recovery codes, locked out, lost phone, account recovery, Domain Admin reset]
+keywords: [New Expensify, two-factor authentication, 2FA, login security, authenticator app, recovery codes, locked out, lost phone, account recovery, Domain Admin reset, backup codes.
 ---
 
-Two-factor authentication (2FA) adds an extra layer of protection to your Expensify account. This guide covers setup, login expectations, recovery steps if you lose access, and admin override options.
+Setting up two-factor authentication (2FA) in New Expensify adds an extra layer of protection to your account. This guide explains how to enable 2FA and what to expect if you're ever locked out.
 
 ---
 
-# How two-factor authentication works
+# Who can use Two-Factor Authentication in Expensify Classic
 
-When logging in:
-1. Enter your email and the magic code sent to your inbox.
-2. Enter a 6-digit code generated by your authenticator app (such as Google Authenticator, Microsoft Authenticator, or Authy).
-
-Codes refresh every few seconds. If one expires, simply open the app for a new code.
+Anyone can enable Two-Factor Authentication on their own account. Domain admins can also enable Two-Factor Authentication for domains, which forces each domain member to set up Two-Factor Authentication on their account. 
 
 ---
 
 # How to enable two-factor authentication
 
-1. From the left-hand menu, select **Account > Security**.
-2. Under **Security options**, select **Two-Factor Authentication**.
-3. Follow the prompts to enable 2FA.
-4. **Save your backup codes**—these are essential for account recovery.  
-   - Select **Download** to save the codes securely.  
-   - Select **Copy** to paste them into a password manager or secure file.  
-5. Open your authenticator app and connect it to Expensify by:  
-   - Scanning the QR code, or  
-   - Entering the setup code manually.  
-6. Enter the 6-digit verification code and select **Verify**.
+1. Ensure an authenticator app is installed on your device. 
+2. From the left-hand menu, select **Account > Security**.
+3. Under **Security options**, select **Two-Factor Authentication**.
+4. Enable **Two-factor authentication**.
+4. Save a copy of your backup codes:
+   - Click **Download** to save them to your computer.
+   - Click **Copy** to store them in a secure location.
+**Important:** If you lose access to your authenticator app and didn’t save your recovery codes, you may permanently lose access to your account. Consider adding 2FA on multiple devices (e.g., phone and tablet) for backup.  
+5. Click **Continue**.
+6. Open your authenticator app and either:
+   - Scan the QR code displayed on your screen.
+   - Enter the 6-digit code from your authenticator app into Expensify and then click **Verify**.
+
+**Once set up, when logging into Expensify, you will:**
+- Receive a Magic Code email to initiate login.
+- Be prompted to enter a 6-digit code from your authenticator app.
+
+If you receive a message that the code is expired, open your authenticator app to get the most recent code.
 
 ---
 
@@ -41,46 +45,63 @@ After setup, login requires both:
 
 ---
 
-# Recovery options
+## For Domain Admins: Reset Two-Factor Authentication for a member
+
+If a member loses access to their authenticator app or recovery codes, you can reset their 2FA — *but only if*:
+- They use a company email on your verified domain, **and**
+- You (the Domain Admin) also have 2FA enabled
+
+To reset a member’s 2FA settings:
 
-Backup recovery codes work like one-time passwords. They are your fastest recovery method if you lose access to your authenticator app.
+1. Go to **Settings > Domains > Domain Members**.
+2. Click **Edit Settings** for the affected email address.
+3. Click **Reset** to disable 2FA.
+4. The member can now log in and set up 2FA again.
 
-**Tip:** Store unused recovery codes in a secure, offline location. Each code can only be used once.
+If your domain doesn't have 2FA enabled yet:
 
-## If you lost your device and have no recovery codes
-- **Individual account**: If you're using a public domain (like gmail.com or outlook.com), you'll need to create a new Expensify account with a different email. Concierge can assist with transferring access to any shared Workspaces.  
-- **Domain account**: A **Domain Admin** can reset your 2FA. Once reset, you’ll log in normally and set up 2FA again.
+1. Go to **Settings > Domains > Domain Members**.
+2. Enable **Two-Factor Authentication**.
+3. Then follow the steps above to reset 2FA for the member.
 
-# Admin recovery and overrides
+**Note** Domain Admin 2FA resets are only available in Expensify Classic. To complete these steps, temporarily [switch to Expensify Classic]([url](https://help.expensify.com/articles/new-expensify/settings/Switch-between-New-Expensify-and-Expensify-Classic.html)). 
 
-## If a Domain Admin is available
-- Domain Admins can reset a member’s 2FA by going to:  
-  **Settings > Domains > [Domain Name] > Members > Security Settings**  
-- Select the member, then disable their 2FA.  
+---
+
+## What to do if you're locked out because of Two-Factor Authentication
 
-## If the enforcing Domain Admin has left
-1. Verify domain ownership by proving control of the domain’s email DNS or MX records.  
-2. Assign a new Domain Admin in **Settings > Domains > [Domain Name] > Domain Settings**.  
-3. Once the new admin is assigned, follow the steps above to reset 2FA for affected members.
+If you can’t access your authenticator app and don’t have your recovery codes, contact your Domain Admin to reset your 2FA. 
 
-# Best practices
+If no Domain Admin is available and you're using a company email, you can follow [this guide](https://help.expensify.com/articles/new-expensify/workspaces/Claim-and-Verify-a-Domain) to claim the domain and reset your 2FA settings yourself.
 
-- Save your recovery codes as soon as you set up 2FA.  
-- Consider adding 2FA on multiple devices (e.g., phone and tablet) during setup for backup.  
-- Keep your device’s clock set to the correct time—codes depend on accurate timing.  
+For more help regaining access, see [Troubleshoot login issues](LINK).
 
 ---
 
 # FAQ
 
-## Why should I use 2FA?
-It prevents unauthorized access, even if someone has your login email or password.
+## How does 2FA change how I log into my account? 
+
+Setting up two-factor authentication (2FA) adds an extra layer of security to protect your Expensify Account. When you log in, you must enter a code generated by your preferred authenticator app (such as Google Authenticator or Microsoft Authenticator).
+
+## How does 2FA work? 
+
+Expensify's 2FA is implemented via a Time-based One-Time Password (TOTP) algorithm. Each time you log in, you must use an authenticator app to generate a unique 6-digit code, adding a second “factor” to your login.
+
+## What can I do if I can't access my authenticator app? 
+
+When you enable 2FA, you are prompted to either copy or download backup codes which you can use in lieu of the 6-digit authenticator code. If you downloaded the codes they will be saved with the file name `two-factor-auth-codes`. 
+
+If you are unable to access the codes, see [Troubleshoot login issues](LINK) for instructions. 
+
+## What authenticator apps does Expensify recommend? 
 
-## What if I lose my phone or uninstall the app?
-Use a recovery code to log in, then disable and re-enable 2FA on your new device.
+You can use any authenticator app, but here are a few we recommend:
 
-## Can I use 2FA on more than one device?
-Yes. Scan the setup QR code with multiple devices when enabling 2FA.
+- [1Password](https://support.1password.com/one-time-passwords/)
+- [Authy](https://authy.com/)
+- [Google Authenticator](https://support.google.com/accounts/answer/1066447)
+- [Microsoft Authenticator](https://www.microsoft.com/en-us/security/mobile-authenticator-app)
 
 ## What if my verification code isn’t working?
-Check your device’s time settings. Authenticator apps rely on accurate system clocks.
+Make sure your device’s clock is set to update automatically. Authenticator apps rely on your system clock being accurate, and even a small time difference can cause verification codes to fail.
@@ -377,7 +377,7 @@ function MoneyRequestView({
         (isExpenseUnreported && (!policyForMovingExpenses || hasEnabledOptions(policyCategories ?? {})));
     // transactionTag can be an empty string
     // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
-    const shouldShowTag = (isPolicyExpenseChat || isExpenseUnreported) && (transactionTag || hasEnabledTags(policyTagLists));
+    const shouldShowTag = (isPolicyExpenseChat || isExpenseUnreported) && (transactionTag || (canEdit && hasEnabledTags(policyTagLists)));
     const shouldShowBillable =
         (isPolicyExpenseChat || isExpenseUnreported) && (!!transactionBillable || !(policy?.disabledFields?.defaultBillable ?? true) || !!updatedTransaction?.billable);
     const isCurrentTransactionReimbursableDifferentFromPolicyDefault =
@@ -721,7 +721,7 @@ function MoneyRequestView({
                 }
             }
         } else {
-            shouldShow = !!tagForDisplay || hasEnabledOptions(tags);
+            shouldShow = !!tagForDisplay || (canEdit && hasEnabledOptions(tags));
         }
 
         if (!shouldShow) {