To help keep your Intercom workspace secure, we offer several authentication options for teammates. These methods help prevent unauthorised access, reduce the risk of phishing attacks, and give you better control over how your team signs in.
You can configure:
Google Sign-In — Let teammates log in with their Google Workspace accounts
Two-Factor Authentication (2FA) — Require a second authentication step when signing in
SAML Single Sign-On (SSO) — Enforce authentication via your identity provider (Enterprise only)
⚠️ We strongly recommend turning off email and password login
Passwords are the most common entry point for attackers. They're prone to phishing, reuse, and weak security practices. Use SSO and/or Google Sign-In with 2FA to provide stronger protection for your workspace.
You should disable email / password logins by turning off the toggle beside that in your workspace security settings.
Get started
Go to Settings > Workspace > Security and choose the option you’d prefer under "Authentication methods".
Note: You must have permission to access general and security settings to enable this.
Method | Availability | Enforcement | Security |
Email & Password | All plans | N/A | ❌ Poor |
Email & Password w / 2FA | All plans | Can be enforced | ✅ Improved |
Require Google sign in | All plans | Can be enforced | ✅ Strong |
Require SAML | Can be enforced | ✅ Strong |
⚠️ Once you require Google SSO or SAML, make sure to disable email / password logins
1. Two-Factor Authentication (2FA)
If you have to let your users login with email and password, you can add an extra layer of security with two-factor authentication. Teammates supply a unique code from an authenticator app like Google Authenticator or Authy on login.
Available on all plans
Can be enforced workspace-wide
Each teammate sets up their own device
2. Google Sign-In
Let teammates log in with their Google Workspace accounts.
Available on all plans
Easy to enable from your security settings
Optional domain restriction (e.g. only
@example.com
users)
3. SAML SSO (Enterprise only)
Allow your team to log in via your Identity Provider (like Okta, Azure AD, or OneLogin).
Available on Enterprise plans
Supports Just-in-Time (JIT) provisioning and SCIM
Requires DNS domain verification and IdP configuration
Require SAML SSO with an identity provider
The most secure and simple way for your team to log in is by integrating Intercom with an identity provider like Okta or OneLogin.
Follow the steps in this article to configure your identity provider, to require SAML SSO (Single Sign On) from all your teammates, or offer it as one of your sign in options.
Teammate options
Enable 2FA on your individual Intercom account
You can enable 2FA on your own Intercom account, separate from the settings of any workspace you're a member of, from Settings > Personal > Account security under the Two Factor Authentication (2FA) section.
We use a QR-based system to set up an authenticator app. Intercom is compatible with popular authenticator apps like Google Authenticator and Authy.
Teammates with 2FA enabled for their account should download their individual Recovery Codes by going to Settings > Personal > Account security. Once there, if 2FA is enabled, they should see a link they can click to download these codes.
You should generate and securely save your recovery codes to avoid potentially being locked out of your account. Recovery codes are especially useful if you encounter issues with your authenticator app or lose access to your device.
If you created your account with Google sign-on, you won't see an option to set up 2FA unless you set a password. You can do this by going through the password reset flow, using the 'Forgot your password?' link on the login page. Configure or disable 2FA under your account settings after regaining access.
Migrating your authenticator app to a new device
To migrate to a new device, you must disable and re-enable 2FA. Follow these steps:
1. Log into your Intercom account on your computer.
2. Go to your Preferences page by clicking here.
3. Toggle off "Enable 2FA".
4. After disabling 2FA, toggle it back on to set it up with your new phone.
5. Scan the QR code displayed on your computer screen using the authenticator app on your new phone.
Troubleshooting
Helping a teammate with a lost 2FA device
If you are locked out of your account due to 2FA issues, a teammate with the 'Can manage teammates, seats, and permissions' privileges can assist. Follow these steps:
Ask for Teammate Assistance:
Request a teammate with the necessary permissions to navigate to Settings > Workspace > Teammates.
Alternatively, access via Teammates Settings.
Generate and Send Recovery Code:
Have the teammate click on the '2FA Recovery' button next to your account.
A recovery code will be sent to your registered email address.
Use the Recovery Code:
On the 2FA login page, select 'Enter a recovery code.'
Enter the code from the email to regain access to your account.
Post-Recovery Actions
After regaining access to your account, 2FA will still be enabled. To prevent any future disruptions, take the following steps:
Navigate to Account Settings.
If needed, toggle off 2FA from your preferences to disable it temporarily.
Re-enable 2FA and set it up with an authenticator app on a new or existing device to ensure continued security. For enhanced backup options, download additional recovery codes from your account settings for future use.You can have a teammate send you a recovery code that you can use to login, check out our article here to learn how to do this.### Preventative Measures To ensure smooth access to your account in the future:
Always store recovery codes securely after initial setup.
Pair multiple devices with your 2FA setup where possible.
Regularly update your 2FA settings to reflect changed devices or preferences.
SSO errors
If you see the following error message:
"No active invite with your email address exists for this workspace. Invites can only be redeemed by the exact email address to which they were sent. If you think you're using the right email to redeem an invite, please contact your admin for help."
There may have been a mix-up with your SSO token, the unique ID for each Google SSO login. This can happen if your company has recently updated the domain within your email address.
For example changing your email from example@olddomain.com
to example@newdomain.com
.
In Intercom, your SSO token will still be attached to your old email and when you attempt to log in with Google SSO using a new invite, it's still linked to the old domain. This triggers the error "Invites can only be redeemed by the exact email address to which they were sent."
To resolve this, please reach out to the Support team at Intercom who can unlink the SSO token from your old email address, allowing you to use Google SSO with your updated address.
Updating the email on your Google account
If you are updating an existing google account with a new email, there will be no issues. We map Intercom teammates with Google accounts by storing their Google account ID.
If something goes wrong, you can always use email and password to gain access (if your workspace allows email/password as login method). Note, It's possible your admins (teammates) don't have passwords set as they used Google SSO to redeem invites. In that case they can log out of Intercom and set their password here.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts