• Published on: 21 February 2024
  • Last edited on: 21 February 2024

MFA FAQ and Security Best Practices

Keep your CSP account secure with multi factor authentication and best practices.


With ever increasing threats faced by all web-based applications and services, Coupa wants to support you with security best practices and frequently asked questions to enhance the security of your Coupa Supplier Portal (CSP) account.  


What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is an added layer of security which makes it harder for someone else to get into your CSP account, even if they have your password.

If you try to log in from a device that we don’t recognize, for example a computer from which you have never logged in to the CSP before, we ask you to enter a verification code (the second factor) to make sure it is really you. This verification code is generated by your authenticator app or sent in a text message to your mobile phone.

If someone else is trying to log into your account, they won’t get the code, which could stop them from accessing your account.

For more information, see Manage Multi-Factor Authentication.

Why should I use multi factor authentication?

Securing your transactions is Coupa's top priority. The continuous improvements to the CSP help keep your accounts and data safe. Adding multi factor authentication to your account increases its security.

MFA is mandatory with sensitive payment accounts to increase the security of your payment settings in Coupa.

How does Multi-Factor Authentication work?

Multi-factor authentication increases security beyond simply having a password. Once MFA is turned on, you can use your Coupa password and a verification code every time you need to change your payment account settings. The verification code is the multi factor authentication piece. Verification codes can be generated from your authenticator app, which is the preferred option, or sent in a text message to your registered mobile phone.

Which Multi-Factor Authentication method is recommended?

Multi-factor authentication through an authenticator app, for example, Google Authenticator, Twilio Authy, or Microsoft Authenticator Authy, is the preferred method. You can download one of these apps for free from the Apple App Store or Google Play.

SMS (text message) is a secondary method supported by Coupa. However, this method is available only for the following countries: Australia/Cocos/Christmas Island, Belgium, Canada, Denmark, France, Germany, India, Ireland, Italy, Japan, Netherlands, South Africa, Spain, Sweden, Switzerland, United Kingdom, and United States. For other countries, select a different authentication method or contact your customer for more options.

Is Multi-Factor Authentication mandatory?

Multi-factor authentication is mandatory with CSP payment accounts. MFA is not mandatory with the other features of the CSP.

Which payment account updates require Multi-Factor Authentication?

Sensitive account updates, namely changes to your legal entity, remit-to, and bank account information require multi-factor authentication.

Security Best Practices

To reduce the security risks to your account and organization, review the following security best practices:

  • Verify and monitor your account. Verify periodically that your account payable information has not changed. If multiple users can access your account, verify that account details are up to date.  Contact us immediately either using the chat in CSP, or send an email to suppliers@coupa.com if you suspect any unauthorized use of your payment account.
  • Add multiple users to your account. Other users can be notified of transactions. This visibility can protect your account in case your email, password, or device is compromised. It also ensures that your company account persists after you or other users leave your organization.
  • Use strong and unique passwords for every account. Passwords must be at least 8 characters, but can be up to 40 characters in length. We recommend complex passwords using both numbers and letters. Password managers such as LastPass or Dashlane can make it easy to keep strong and unique passwords.
  • Train your employees to regularly log out of systems so that others are not able to utilize their credentials.
  • Do not write down your account password or store it in an insecure manner.
  • Do not share passwords or verification codes. Coupa will never ask you to share passwords or MFA information. As a general rule, you should never share sensitive account credentials, such as user names, passwords, MFA codes, or recovery codes.
  • Protect your email and cloud accounts. Your email account can be compromised and taken over by malicious actors. To prevent this, consider enabling MFA or biometrics on all your accounts. Protect your online data storage accounts (for example, iCloud) with the same steps. Review security settings to confirm you have optimized your account safety.
  • Shared accounts are possible for transactions but not ideal for managing banking information. They are easy to manage but pose security risks as passwords are shared, MFA and access control is nearly impossible to implement, and user activity cannot be tracked in case of compromised information. Shared accounts also do not meet compliance requirements for HIPAA, Cyber security, and similar standards.
  • Secure your devices. Always keep your software up to date. Protect your mobile phone number by asking your provider to enable a SIM or device lock.
  • Use good judgment. The most effective way to protect yourself against scams like phishing is good judgment and common sense. If any offer sounds too good to be true, it probably is. It is okay to question, refuse, or ignore requests. Only scammers will try to rush or panic you.
  • Train your users regularly on security. Train your users on organization controls and raise awareness of phishing attack prevention.
  • Think before you click. Email can have links that can be malicious. Think twice before you click on any link.
  • Enable notifications on the platform to ensure you are notified of any suspicious activity on your account. Train your users to be vigilant about these warnings.
  • Regularly update software. Ensure that all software, including your operating system, is up to date with the latest security patches and fixes.
  • Use antivirus and anti-malware software. Install and regularly update antivirus and anti-malware software to protect against malicious software.
  • Enable multi-factor authentication. Multi-factor authentication (MFA) can be enforced for all user logins, in addition to payment account updates such as changes to your legal entity, remit-to, and bank account information. Enabling MFA is quick and easy. Just follow the steps shown on your screen:

Steps to enable multi factor authentication