To help keep your Fin workspace secure, we offer several authentication options for teammates. These methods help prevent unauthorized access, reduce the risk of phishing attacks, and give you better control over how your team signs in.
You can configure:
Google Sign-In — Let teammates log in with their Google Workspace accounts
Two-Factor Authentication (2FA) — Require a second authentication step when signing in
SAML Single Sign-On (SSO) — Enforce authentication via your identity provider (Enterprise only)
Get started
Go to Settings > Security > Workspace and choose the option you’d prefer under "Authentication methods".
Method | Availability | Enforcement | Security |
Email & Password | All plans | N/A | ❌ Poor |
Email & Password w / 2FA | All plans | Can be enforced | ✅ Improved |
Require Google sign in | All plans | Can be enforced | ✅ Strong |
Require SAML | Can be enforced | ✅ Strong |
Note:
You must have permission to access general and security settings to enable this.
Once you require Google SSO or SAML, make sure to disable email and password logins.
Turn off email and password logins
We strongly recommend turning off email and password login. Passwords are the most common entry point for attackers. They're prone to phishing, reuse, and weak security practices. Use SSO and/or Google Sign-In with 2FA to provide stronger protection for your workspace.
You should disable email and password logins by turning off the toggle beside that in Settings > Security > Authentication methods.
1. Two-Factor Authentication (2FA)
If you have to let your users login with email and password, you can add an extra layer of security with two-factor authentication. Teammates supply a unique code from an authenticator app like Google Authenticator or Authy on login.
Can be enforced workspace-wide
Each teammate sets up their own device
If teammates have not already set up two-factor authentication when you enable this for your workspace, they'll be prompted to do so on their next login.
2. Google Sign-In
Let teammates log in with their Google Workspace accounts.
Easy to enable from your security settings
Optional domain restriction (e.g. only
@example.comusers)
3. SAML SSO
Allow your team to log in via your Identity Provider (like Okta, Azure AD, or OneLogin).
Supports Just-in-Time (JIT) provisioning and SCIM
Requires DNS domain verification and IdP configuration
Tip: Integrating your Fin workspace with an identity provider like Okta or OneLogin is the most secure and simple way for your team to log in.
Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.
Login protection & notifications
Your Fin workspace also continuously monitors login activity and automatically protects a teammate account. If we detect a suspicious email / password login for a teammate account, we will force email verification before the login can be completed. This includes:
Intelligent Login & Session Protection: Extra verification for unusual login patterns and advanced measures against abuse.
Security Notifications: Timely alerts about potential security events.
The teammate will receive a verification email like so and will have to enter the unique verification token before they can proceed.
Teammate options
Enable 2FA on your individual Fin account
You can enable 2FA on your own Fin account, separate from the settings of any workspace you're a member of, from Settings > Account security under the Two Factor Authentication (2FA) section.
We use a QR-based system to set up an authenticator app. Your Fin workspace is compatible with popular authenticator apps like Google Authenticator and Authy.
Teammates with 2FA enabled for their account should download their individual Recovery Codes by going to Settings > Account security. Once there, if 2FA is enabled, they should see a link they can click to download these codes.
Important: You should generate and securely save your recovery codes to avoid potentially being locked out of your account.
Recovery codes are especially useful if you encounter issues with your authenticator app or lose access to your device. If your recovery codes are missing or not working, you can request a new recovery code to be sent to your registered email. Use this code to log in and reset your 2FA connection by disabling and re-enabling 2FA in Settings > Account security.
Note: If you created your account with Google sign-on, you won't see an option to set up 2FA unless you set a password. You can do this by going through the password reset flow, using the 'Forgot your password?' link on the login page. Configure or disable 2FA under your account settings after regaining access.
Migrating your authenticator app to a new device
To migrate to a new device, you must disable and re-enable 2FA. Follow these steps:
Go to Settings > Account security.
Toggle off Enable 2FA under "Two Factor Authentication (2FA)".
After disabling 2FA, toggle it back on to set it up with your new phone.
Scan the QR code displayed on your computer screen using the authenticator app on your new phone.
Troubleshooting
Common 2FA Issues
If your authenticator app codes are not working, try the following strategies:
Device Settings and App Synchronization:
Ensure your mobile device’s time and date settings are set to "Set Automatically," as discrepancies can cause codes to fail.
Restart your mobile device to re-sync the time settings of your authenticator app.
App Reconfiguration:
Reset your 2FA connection by disabling and re-enabling it in Settings > Account security. Then, scan a new QR code using your authenticator app.
If possible, use a different authenticator app as a backup.
Helping a teammate with a lost 2FA device
If you are locked out of your account due to 2FA issues, a teammate with "Full access" on your Fin workspace can assist.
If recovery codes fail, the administrator can reset the failed login attempts and issue a new recovery code. Encourage the teammate to reset and reconfigure their 2FA setup to prevent future issues. Follow these steps:
Ask for Teammate Assistance:
Request a teammate to navigate to Settings > Teammates.
Generate and Send Recovery Code:
Have the teammate click on the '2FA Recovery' button next to your account.
A recovery code will be sent to your registered email address.
Use the Recovery Code:
On the 2FA login page, select Enter a recovery code.
Enter the code from the email to regain access to your account.
Post-Recovery Actions
After regaining access to your account, 2FA will still be enabled. To prevent any future disruptions, take the following steps:
Navigate to Settings > Account security.
If needed, toggle off 2FA from your preferences to disable it temporarily.
Re-enable 2FA and set it up with an authenticator app on a new or existing device to ensure continued security. For enhanced backup options, download additional recovery codes from your account settings for future use.
Preventative measures to ensure smooth access to your account in the future:
Always store recovery codes securely after initial setup.
Pair multiple devices with your 2FA setup where possible.
Regularly update your 2FA settings to reflect changed devices or preferences.
Resolve verification code issues
If you experience difficulties with verification codes, follow these instructions:
Delayed Verification Codes: Use the most recent code received as long as it hasn’t expired. If expired, request a new code and use it immediately.
Codes Not Working in Mobile App: Ensure you enter the latest code and correct your mobile device’s time and date settings to prevent mismatches. Restart the app and try the code again.
Authenticator App Errors: If the authentication code generated by your app is consistently rejected, consider reconfiguring the app or switching to another.
SSO errors
If you see the following error message:
"No active invite with your email address exists for this workspace. Invites can only be redeemed by the exact email address to which they were sent. If you think you're using the right email to redeem an invite, please contact your admin for help."
There may have been a mix-up with your SSO token, the unique ID for each Google SSO login. This can happen if your company has recently updated the domain within your email address.
For example changing your email from example@olddomain.com to example@newdomain.com.
In your Fin workspace, your SSO token will still be attached to your old email and when you attempt to log in with Google SSO using a new invite, it's still linked to the old domain. This triggers the error "Invites can only be redeemed by the exact email address to which they were sent."
To resolve this, please reach out to the Support team who can unlink the SSO token from your old email address, allowing you to use Google SSO with your updated address.
Updating the email on your Google account
If you are updating an existing google account with a new email, there will be no issues. We map your Fin workspace teammates with Google accounts by storing their Google account ID.
If something goes wrong, you can always use email and password to gain access (if your workspace allows email/password as login method). Note, it's possible your teammates don't have passwords set as they used Google SSO to redeem invites. In that case they can log out of their Fin workspace and reset their password from the login page.