CSP Security Best Practices and FAQ

Introduction

There are increased threats faced by all web-based applications and services, and Coupa wants to support you with security best practices and frequently asked questions (FAQ) to enhance the security of your Coupa Supplier Portal (CSP) account.  

FAQ

What is two-factor authentication?

Two-factor authentication (2FA) makes it hard for someone else to get into your CSP account, even if they have your password. 

If you try to log in from a device that we don’t recognize, for example, a computer from which you have never logged in to the CSP before, we ask you to enter a verification code (the second factor) to make sure it is really you. This verification code is generated by your authenticator app or sent in a text message to your mobile phone. 

This way, if someone else is trying to log in to your account, they won’t get the code, which could stop them from accessing your account.

For more information, see Manage Two-Factor Authentication.

Why should I use two-factor authentication?

The security of your transactions is Coupa's top priority. The continuous improvements to the CSP help keep your accounts and data safe. Adding two-factor authentication (2FA) to your account increases its security.

2FA is mandatory with sensitive payment accounts to increase the security of your payment settings in Coupa.

How does two-factor authentication work?

Two-factor authentication (2FA) increases security beyond simply having a password. Once 2FA is turned on, you can use your Coupa password and a verification code every time you need to change your payment account settings. The verification code is the “two-factor authentication” piece. Verification codes can be generated from your authenticator app (preferred) or sent in a text message to your registered mobile phone.

Which two-factor authentication method is recommended?

Two-factor authentication (2FA) through an authenticator app, for example, Google Authenticator, Twilio Authy, or Microsoft Authenticator Authy, is the preferred method. You can download one of these apps for free from the Apple App Store or Google Play. SMS (text message) is a secondary method supported by Coupa. (SMS rates may apply.)

Is two-factor authentication mandatory?

Two-factor authentication (2FA) is mandatory with CSP payment accounts. 2FA is not mandatory with the other features of the CSP.

Which payment account updates require two-factor authentication?

Sensitive  account updates, namely changes to your legal entity, remit-to, and bank account information require two-factor authentication (2FA).

Best Practices

To reduce the security risks to your account and organization, review the following security best practices:

• Enable two-factor authentication: Two-factor authentication (2FA) can be enforced for all user logins, in addition to payment account updates such as changes to your legal entity, remit-to, and bank account information
• Verify and monitor your account: Verify periodically that your account payable information has not changed. If multiple users can access your CSP account, verify that account details are up to date.  Contact us [need link] immediately if you suspect any unauthorized use of your CSP account.
• Add multiple users to your account: Other CSP users can be notified of transactions. This visibility can protect your account in case your email, password, or device is compromised. It also ensures that your company account persists after you or other users leave your organization.
• Use strong passwords: As currently required on the CSP, use strong and unique passwords for every account. Password managers, for example, LastPass or Dashlane, can make it easy.
• Do not share passwords or verification codes: Coupa will never ask you to share password or 2FA information. As a general rule, you should not share sensitive account credentials (usernames, passwords, 2FA codes, or recovery codes) with anyone. 
• Protect your email and cloud accounts: Your email account can be compromised and taken over by malicious actors. You should consider enabling 2FA or biometrics on all your accounts. Protect your online data storage accounts (for example, iCloud) with the same steps. Review security settings to confirm you have optimized your account safety.
• Secure your devices: Always keep your software up to date. Protect your mobile phone number by asking your provider to enable a SIM or device lock.
• Use good judgment: The most effective way to protect yourself against scams like phishing is good judgment and common sense. If any offer sounds too good to be true, it probably is. It is okay to question, refuse, or ignore requests — only scammers will try to rush or panic you.
• Train your users regularly on security: Train your users on organization controls and raise awareness of phishing attack prevention.

Implement and follow these best practices in addition to your internal security controls to increase the security of your CSP account. Additional details on these controls can be found on the CSP. Contact Coupa Support if you would like further information about best practices.