Skip to main content

On Technology: Expensify Forces Passwordless On Its Users And Good For Them

By May 29, 2023No Comments

(This column originally appeared in Forbes)

For the past ten years my company has been using three very popular customer relationship management, accounting and office collaboration systems. And over the past ten years the security hasn’t changed. We’re still using passwords.

And this is a problem. I keep very confidential and important information in our systems. My employees make up their own passwords but we all know how bad we are at coming up with unique ones, let alone changing them all the time, let alone remembering what we changed them to. I have a password vault but those platforms sometimes concern me because they have a history of getting hacked, which is not very vault-like. Google and Microsoft have their own password managers but these also don’t seem very secure because they’re device driven and if someone steals a device well, that’s an issue.

And yes, many applications now give us the “options” to use a fingerprint or facial recognition and multi-factor authentication. But none of this is required and for me it’s hard to enforce. So I literally have people logging into my accounting system over an airport Wi-Fi using 123456 as their password. This is not very secure. I know this and I hate it. But there is a better way.

Expensify — a popular expense management platform — recently adopted a “passwordless” security procedure. The company’s founder, David Barrett, likes to use the popular phrase that describes this security methodology — “magic links” — when describing their new protocol but I think he’s just doing that because he’s always been a showman. There’s really nothing so magic about this.

In a recent blog Barrett describes the new procedure for Expensify’s users which is really quite easy. Instead of doing the username and password thing a user enters in their email or phone number and a one-time, automatically generated, unique “magic link” (or code) is emailed/texted and you’re in. There’s still two-factor authentication and other advanced security options on top of this procedure for those that want it too.

“No matter how you slice it, passwords are a bad solution to an important problem,” Barrett wrote in a recent blog post. “It’s been over a century since speakeasies stopped using passwords in the prohibition era 1920’s, it’s long past due we stop using them to secure our most important financial data.”

Passwordless security isn’t innovative. It’s not new. It’s not unique to Expensify. But this type of access will soon be the standard. That’s because big tech is all-in.

Earlier this month Apple, Google and Microsoft together announced their plans to expand a passwordless sign-in for their websites and applications. They’ll be using a standard created by the FIDO Alliance (an association of security firms that develops and promotes authentication standards) and the World Wide Web Consortium.

As with anything in the world of technology, passwordless security has some flaws. Some experts warn of “interception bots” that could grab links when being sent from the server generating them. If someone has hacked your email or spoofed your wireless provider then it would be easy for them to receive the magic link. I’m sure future hackers will come up with all sorts of ways to compromise passwordless systems.

But if there’s one thing I’ve learned from being in this business for 20+ years is that there’s no perfect security solution. Passwordless logins, however, is better than what we’re doing right now. So for me it’s not happening fast enough, and I’m concerned these companies won’t be tough enough. At least not as tough as Expensify.

That’s because Expensify is doing what all other application providers should be doing: forcing passwordless access on its users. No choices and no options — other than options to add additional layers of security if so inclined. Sure, users will grumble because no one likes change. But c’mon…this is not that hard and it won’t take long to learn.

As a business owner you should be talking to your IT consultants and managed service providers to implement passwordless security on your network and demanding that your business application providers do the same. If you’re looking to set this up on your own, Geekflare’s Hitesh Sant provides a great list of passwordless platform providers here.

Then do what Expensify is doing: force it on your users. It’s tough love and in everyone’s best interest.

Skip to content