Two-factor authentication (2FA)

OverviewHow it worksSetupReset 2FA

Overview

Two-factor authentication (2FA) is an extra layer of security that prevents unauthorized access to your account. 2FA is achieved by either setting up SMS authentication or installing a general-purpose authenticator app on your mobile device. 2FA is required for all Brex users. We recommend using an authenticator app (see examples below). Authenticator apps provide greater security than SMS, and can be used without a working cell network. Note: Brex doesn’t require installation or download of a browser extension to access your account. You should always exercise caution when installing browser extensions.


How it works

When you sign in to Brex using 2FA, you’ll receive a prompt to provide a verification code in addition to your password. Brex offers two ways to receive a code:

  • [Recommended] Authenticator app (e.g., Google Authenticator, Twilio Authy, Okta, Duo, 1Password)
  • SMS text message

Please read the relevant section below to either set up 2FA for the first time or switch from one method to the other. Note: If you’re using SSO as your preferred sign-in option, you won’t need to complete 2FA during sign-in.


Setup

Authenticator app setup

Step 1: Download an authenticator app.

  • Google Authenticator: iPhone, Android
  • Twilio Authy: iPhone, Android
  • Okta: iPhone, Android
  • Duo Mobile: iPhone, Android

Step 2: After downloading your app of choice, ensure that your device's date and time settings are configured to Automatic mode. Authenticator apps generate 2FA codes using the current time on your device, so if the time is set incorrectly, the wrong code will be generated. Step 3: Click your company name at the top right of your dashboard and go to Personal settings. Step 4: Under Personal, find Two-factor authentication and click Change method. Step 5: Choose Authenticator app and click Continue. Step 6: Open your authenticator app and use it to scan the QR code, then click Continue. Note: If you can’t scan the QR code, choose manual entry on your app, and enter the code shown on the screen. Step 7: Enter the six-digit code from your authenticator app and click Continue (the code typically expires after 30 seconds). Step 8: Copy or download the recovery codes and save them in a secure place, then click Continue. Once 2FA is enabled, it cannot be disabled. If you ever lose your phone, you can use your recovery codes to sign in to Brex. Each recovery code can be used once. If you do not have access to your recovery codes, you can contact your admin to receive a one-time recovery code via email.

SMS text message setup

We strongly recommend using an authenticator app, as this provides greater security and does not require a working cell network to use. However, if you prefer to use SMS messaging, please follow these instructions. Step 1: Click your company name at the top right of your dashboard and go to Settings. Step 2: Under Personal, find Two-factor authentication and click Change method. Step 3: Choose Text Message and click Continue. Step 4: Enter the phone number you want your code sent to and click Continue. This phone number will replace any existing phone number on your account and will be used for customer communications and fraud prevention moving forward. Step 5: Enter the six-digit code sent to your phone number and click Continue (the SMS code will typically expire after three minutes). Note: Once 2FA is enabled, it cannot be disabled. If you don’t receive your SMS code, your admin can generate a one-time recovery code via email.


Reset 2FA

If your 2FA code has stopped coming through, you or your admin can reset your 2FA method

For users

Note: If you’ve elected to receive SMS codes to complete 2FA, this option won’t be available. Instead, please contact your admin to receive a one-time 2FA recovery code by email to access your account and follow the instructions in the email to reset your 2FA. Step 1: Sign in with your email and password. Step 2: When asked to enter a 6-digit code, click Reset your two-factor authentication below Enter code. Step 3: We’ll send a 6-digit SMS code to the phone number associated with your Brex account. Enter the code on this page and click Sign in. Step 4: In the authenticator app of your choice, remove your Brex account. Step 5: In your dashboard, go to Personal settings > Two-factor authentication. Step 6: Click Setup, make sure you have Authentication app selected, and click Continue. Step 7: In your authenticator app, click the + sign or Add and scan the QR code from your Brex dashboard. Once the code scans, click Continue. Note: If you have problems scanning the code, choose Enter manually and input the code shown on screen, instead. Step 8: Enter the six-digit code from your authenticator app and click Continue. The code will expire in 30 seconds. Step 9: Copy or download the new recovery codes and make sure you’ve stored them in a secure place. When you’re done, click Continue. Note: After enabling 2FA, it cannot be disabled. If you don’t have access to your phone, you can use each recovery code one time to access your Brex account. Step 10: Sign into your Brex app using the six-digit code from your authenticator app, to make sure that it’s working.

For admins

If a member of your team is unable to access their account as their phone number has changed, admins have the ability to send a 2FA recovery code by email. To do so, please follow the steps below: Step 1: In your Brex dashboard, go to Teams. Step 2: Click on the user who needs to have their 2FA reset. Step 3: Click User actions > Send 2FA recovery code > Send code. This will send an email to the address your employee has on file that includes the recovery code and instructions to reset their 2FA settings. This code will only be valid for 2 hours. To complete the 2FA reset and to ensure that their 2FA is reset moving forward, the user will need to follow the setup steps listed above.

Was this article helpful?