There are three ways you can provide an extra level of security for your Intercom account. You can:

Check our plans and pricing to see if SAML SSO is available on your subscription.

Go to Settings > Workspace > Security and choose the option you’d prefer under "Authentication methods".

Once set up, your Intercom account will be authenticated by your G Suite domain. And each of your teammates will sign into Intercom with a single click through their G Suite account.

If you select the 2FA option, each time you log in you will need to enter your password and provide a unique code. We use a QR-based system to generate the codes for you. Intercom is compatible with popular authenticator apps like Google Authenticator and Authy.

Setting it up takes about two minutes:

To migrate your authenticator app to a new device to be used for 2FA with Intercom, follow these steps:

1. Log into your Intercom account on your computer.

2. Go to your Preferences page by clicking here.

3. Toggle off "Enable 2FA".

4. After disabling 2FA, toggle it back on to set it up with your new phone.

5. Scan the QR code displayed on your computer screen using the authenticator app on your new phone.

You’ll get both options each time you sign in (you can sign in through two-factor authentication or through your G Suite account).

The most secure and simple way for your team to log in is by integrating Intercom with an identity provider like Okta or OneLogin.

Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.

You can enable 2FA on your own Intercom account from Settings > Personal > Account security under the Two Factor Authentication (2FA) section.

Teammates with 2FA enabled for their account can download their individual Recovery Codes by going to Settings > Personal > Account security. Once there, if 2FA is enabled, they should see a link they can click to download these codes.

You can have a teammate send you a recovery code that you can use to login, check out our article here to learn how to do this.

If you're seeing an error message: "​No active invite with your email address exists for this workspace. Invites can only be redeemed by the exact email address to which they were sent. If you think you're using the right email to redeem an invite, please contact your admin for help."

It looks like there might've been a mix-up with your SSO token, the unique ID for each Google SSO login if your company has recently updated the domains on your email address.

​

If so, it was linked with your old email, example@olddomain.com, Then, your company updated the old email to example@newdomain.com.

​

​However, in Intercom, the SSO token didn't catch up and is still attached old email. So, when you attempt to log in with Google SSO using a new invite, it's still linked to the old domain, leading to the error "Invites can only be redeemed by the exact email address to which they were sent."

​

​To resolve this, please reach out to the Support team at Intercom who can unlink the SSO token from your old email address, allowing you to use Google SSO with your updated address.

If you are updating an existing google account with a new email, there will be no issues. We map Intercom teammates with Google accounts by storing their Google account ID.
​
If something goes wrong, you can always use email and password to gain access (if your workspace allows email/password as login method). Note, It's possible your admins (teammates) don't have passwords set as they used Google SSO to redeem invites. In that case they can log out of Intercom and set their password here.