Skip to main content
All CollectionsSecurity & PrivacySecurity
Protect your account with 2FA, Google Sign-On or SAML SSO
Protect your account with 2FA, Google Sign-On or SAML SSO
Beth-Ann Sher avatar
Written by Beth-Ann Sher
Updated this week

There are three ways you can provide an extra level of security for your Intercom account. You can:

  • Require your teammates to sign in to Intercom through their Google account.

  • Require two-factor authentication (2FA) when you sign into your own Intercom account.

  • Require your teammates to sign in to Intercom through an identity provider (like Okta, or OneLogin) with SAML SSO.

Check our plans and pricing to see if SAML SSO is available on your subscription.

For accounts created with Google sign-on, you won't see an option to select 2FA unless you reset your password.

If you choose 2FA, each of your teammates will have to protect their own Intercom accounts separately.


Get started

Go to Settings > Workspace > Security and open Workspace Security Settings then choose the option you’d prefer under "Authentication methods".

You must have permission to access general and security settings to enable this.

Require your teammates to sign in through Google

Once set up, your Intercom account will be authenticated by your G Suite domain. And each of your teammates will sign into Intercom with a single click through their G Suite account.

Requiring Google sign-on is available on all Intercom plans.

Require two-factor authentication (2FA)

If you select the 2FA option, each time you log in you will need to enter your password and provide a unique code. We use a QR-based system to generate the codes for you. Intercom is compatible with popular authenticator apps like Google Authenticator and Authy.

How to set it up

Setting it up takes about two minutes:

  1. Choose the ‘Require two-factor authentication’ option and click ‘Save.’

  2. Download an authenticator app like Google Authenticator or Authy.

  3. You'll be asked to scan a QR code on your screen.

  4. When you log in the next time, you'll need to add your password and then a code generated from your authenticator app on your smartphone.

When you set up 2FA you'll be given the option to generate recovery codes. We recommend generating recovery codes to avoid potentially being locked out of your account.

How to Migrate authenticator app to a new device

To migrate your authenticator app to a new device to be used for 2FA with Intercom, follow these steps:

1. Log into your Intercom account on your computer.

2. Go to your Preferences page by clicking here.

3. Toggle off "Enable 2FA".

4. After disabling 2FA, toggle it back on to set it up with your new phone.

5. Scan the QR code displayed on your computer screen using the authenticator app on your new phone.

Allow Google sign on and 2FA together

You’ll get both options each time you sign in (you can sign in through two-factor authentication or through your G Suite account).

Require SAML SSO with an identity provider

The most secure and simple way for your team to log in is by integrating Intercom with an identity provider like Okta or OneLogin.

Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.

Enable 2FA on your Intercom account

You can enable 2FA on your own Intercom account from Settings > Personal > Preferences under the Two Factor Authentication (2FA) section.

Teammates with 2FA enabled for their account can download their individual Recovery Codes by going to Settings > Personal > Preferences. Once there, if 2FA is enabled, they should see a link they can click to download these codes.

If you created your account with Google sign-on, you must reset your password before you’ll see the option to set up 2FA.


Lost your 2FA device?

You can have a teammate send you a recovery code that you can use to login, check out our article here to learn how to do this.


Having issues with SSO?

If you're seeing an error message: "​No active invite with your email address exists for this workspace. Invites can only be redeemed by the exact email address to which they were sent. If you think you're using the right email to redeem an invite, please contact your admin for help."

It looks like there might've been a mix-up with your SSO token, the unique ID for each Google SSO login if your company has recently updated the domains on your email address.

If so, it was linked with your old email, example@olddomain.com, Then, your company updated the old email to example@newdomain.com.

​However, in Intercom, the SSO token didn't catch up and is still attached old email. So, when you attempt to log in with Google SSO using a new invite, it's still linked to the old domain, leading to the error "Invites can only be redeemed by the exact email address to which they were sent."

​To resolve this, please reach out to the Support team at Intercom who can unlink the SSO token from your old email address, allowing you to use Google SSO with your updated address.

Effect of updating teammates email domains with SSO

If you are updating an existing google account with a new email, there will be no issues. We map Intercom teammates with Google accounts by storing their Google account ID.

If something goes wrong, you can always use email and password to gain access (if your workspace allows email/password as login method). Note, It's possible your admins (teammates) don't have passwords set as they used Google SSO to redeem invites. In that case they can log out of Intercom and set their password here.


💡Tip

Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts


Did this answer your question?