EN globe icon
user icon
On This Page
  • Published on: 02 June 2023
  • Last edited on: 04 April 2025
What can we help you find? Products Coupa Product Documentation Supplier Resources For Suppliers Core Supplier Onboarding Get Started with the CSP Your Account Manage Multi-Factor Authentication

Manage Multi-Factor Authentication

Multi-factor authentication (MFA) is the preferred security option to protect accounts. Learn how to enable or disable it when needed, how to sign in using MFA, remember your browser while using this option and track recent activity on your account.

Introduction

Multi-factor authentication (MFA) is the recommended security option to protect accounts. It requires the user to provide two or more verification factors to gain access to the Coupa Supplier Portal (CSP). Some Coupa customers may require suppliers to use MFA to access their data in the CSP. 

There are several methods to enable MFA in your account: 

  • Enable MFA via authenticator app (recommended option)
  • Enable MFA via text message (SMS)

The following content guides you though the steps for: 

  • Enabling MFA in your account
  • Track recent login activity in your account
  • Sign in to the CSP using MFA
  • Remembering browsers for MFA
  • Disabling MFA for users in your supplier account
  • Frequently asked questions (MFA) and Security Best Practices

Enabling MFA in your account

To enable any MFA method, follow the steps below: 

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Set your preferred default MFA method by selecting the radio button under their descriptions.
    1. For Payment Changes (Required for Changing Legal Entity or Remit-To):
      MFA is required when creating or editing legal entities, remit-to, and bank account information.
    2. For Both Account Access (Login) and Payment Changes:
      MFA is required when logging in to the CSP. You don't have to reauthenticate when working with financial data because you already authenticated when logging in.
  4. Select the MFA method depending on how you want to receive the verification codes: 
    1. Option 1: Using an Authenticator App to use an authenticator app available from the app store on your mobile phone.
      This is the recommended option. 

      or

    2. Option 2: Using a Text Message to use a code sent by text message to your phone number.

When you enable MFA, you get an email notification of the change. 

Depending on your selected preferred MFA method, you will need to follow additional steps as detailed in the sections below: 

Option 1: Enable MFA via authenticator app

Enabling MFA via an authenticator app is the recommended option. The first time you visit the Security & Multi Factor Authentication page, the system displays a window with instructions to configure this option. Follow the instructions on the window to configure MFA using an authenticator app: 

  1. Visit the the Google Play store or the Apple app store
  2. Search for an authenticator app.
    The recommended option is to use Google Authenticator, which is available for iOS and Android devices. See Install Google Authenticator for help with installing the app on your mobile device. 
  3. Download and install your preferred authenticator app.
  4. Open the app on your mobile device.
  5. Go to the Account Settings page. 
  6. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  7. Scan the QR code shown in the modal with the authenticator app or copy the security key to use it as the CSP authentication code.
    For most apps, select "Add" or "+" to scan the QR code.
  8. Enter the 6-digit verification code from your device in the input field on the modal.
    The code that Google Authenticator provides is good only for 30 seconds. If you don't type that code on the CSP sign-in page and click Log In within 30 seconds, you have to get a new code and try again.
  9. Select the Enable button at the bottom right of the modal. 

Do not uninstall the authenticator app once the MFA set up is done: you will need the same app in future each time you encounter the MFA popup (for example when logging in or making some changes in the platform).

Print your backup codes or email them to yourself before you click OK. If you ever lose your device, you need these to regain access to your CSP account.

Option 2: Enable MFA via text message (SMS)

If you want to receive text message (SMS) notifications or verification codes, you must enter and validate your phone number under My Account > Notification Preferences. This feature is only available for validated regions.

To enable MFA via text message (SMS), follow the next steps:

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Click the blue circle next to the Via Text Message option:
    Follow the instructions that appear on the next screen. 
  4. Input the phone number where you want to receive the SMS text.
    A code is sent to your phone as an SMS text message (SMS rates may apply).
  5. Confirm the Recaptcha shown in the modal and select the Send Code button. 
  6. Enter the 6-digit verification code sent to your phone in the field next to the third steps shown on screen. 
  7. Select the Enable button at the bottom right of the modal. 

After successful validation, you receive the verification code in a text message.

Save your backup codes or email them to yourself before you delete the message. If you ever lose your device, you need these to regain access to your CSP account.

Track recent login activity

At the bottom of the Security & Multi Factor Authentication page, you can also track your login activity.

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option.
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Scroll down to the Recent Login Activity section.

Your logins are listed in reverse chronological order under the Recent Login Activity section with the following information:

  • date (and time) 
  • browser
  • device
  • IP address 
  • if MFA is enabled, also the authentication type (authenticator app or text message).

By default, the three most recent logins are visible. Use the ...View More link to see up to 20 logins.

Sign in to the CSP using MFA

To sign in to the CSP using MFA, follow these steps: 

  1. Go to https://supplier.coupahost.com and provide your credentials as usual.
    The Multi-Factor Authentication window opens.
  2. Depending on your setting:
    1. Open the authenticator app on your device and choose your CSP account. Get the number that's shown.
      This application is the same one used for enabling the MFA option.If there are multiple logins set in your authentication, then ensure that the code under Coupa Supplier Portal is entered.  
      or 

    2. Open the newly received SMS text message that contains the verification code.
      The message is sent to the phone number that is registered under notification preference settings in the account. If no number is registered under Notification Preferences, you will not see the button Send Code To Mobile.
  3. Type the authentication code in the appropriate field within the screen of the CSP log in.
  4. Click Log In.

The code that Google Authenticator provides is good only for 30 seconds. If you don't type that code on the CSP sign-in page and click Log In within 30 seconds, you have to get a new code and try again.

If you or your user are locked out and  don't have the six-digit backup validation code, contact Coupa Support via email from the registered email address, and provide the declaration form.

Remembering browsers for MFA

As a CSP user, you can use the Remember this browser option to avoid having to input your MFA credentials every time you log in. 

On login: Select the Remember this browser checkbox when entering your credentials. 

Inside the CSP: 

  1.  Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Select the Remember this browser checkbox

When you log in as a CSP user, you can select the Remember this browser checkbox on the Multi-Factor Authentication page to bypass multi-factor authentication (MFA) on your account for 30 days. 

You still need to use MFA at least every 30 days and it is still required for any payment method or legal entity changes.

Disabling MFA for users in your supplier account

Admin users now have the ability to disable MFA for the other users of the same account. If you’re part of a multi-user supplier account, and you're locked out due to MFA,  an admin within your account can now disable MFA on your behalf.

If your account has an active admin, reach out to them and ask them to temporarily disable MFA on your user account by following these steps:
Steps for the Admin User:
  1. Log in to your Coupa account
  2. Go to the Setup tab
  3. Navigate to the Users section
  4. Search for the affected user and click Edit User
  5. Scroll down and select Disable MFA
Once MFA is disabled, the locked user will automatically receive an email to reset MFA and set it up again on a new device.
Note

The reset email is valid for only 24 hours. If no action is taken before that time, the process needs to start from the beginning.

If there are no other admins in your account or if you need further assistance, feel free to contact our support team.

Frequently asked questions (MFA) and Security Best Practices

As a supplier, you can face different scenarios that require you to enable MFA. Take these into account when enabling or disabling MFA: 

  • If the customer does not have MFA as a requirement for suppliers, when they enable MFA as a requirement, then:
    • Every supplier for that customer is then required to enable MFA in order to access any of that customer's information through the CSP. 
    • Suppliers without MFA receive a message that they must enable MFA in order to transact with the customer. The message contains a link directing the supplier to the page where MFA can be enabled. The supplier requires a phone with SMS texting or an authenticator app to enable this option.
    • The customer’s Coupa Admin can set up an exception in the platform to "Exclude" a specific supplier from the MFA requirement in CSP. This supplier will have access to specific information. 
  • If a customer requires the supplier MFA and the supplier does not have MFA enabled, then: 
    • The supplier can not see customer data and is instructed to turn on MFA in order to see customer data.
    • When the supplier logs into CSP and navigates to see any customer specific information, they receive a message that they must enable MFA in order to transact with their customer. The message contains a link directing the supplier to the Account Settings page > Security & Multi Factor Authentication tab where MFA can be enabled.
  • If a customer requires the supplier MFA and the supplier has disabled or turned off the MFA option (supplier has transaction history with the customer, but no longer does business with them), then:  
    • The supplier can log into the CSP normally, however, in order to view past data or access customer-specific information with that particular customer they must enable MFA.

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is an added layer of security which makes it harder for someone else to get into your CSP account, even if they have your password.

If you try to log in from a device that we don’t recognize, for example a computer from which you have never logged in to the CSP before, we ask you to enter a verification code (the second factor) to make sure it is really you. This verification code is generated by your authenticator app or sent in a text message to your mobile phone.

If someone else is trying to log into your account, they won’t get the code, which could stop them from accessing your account.

For more information, see Manage Multi-Factor Authentication.

Why should I use multi factor authentication?

Securing your transactions is Coupa's top priority. The continuous improvements to the CSP help keep your accounts and data safe. Adding MFA to your account increases its security.

MFA is mandatory with sensitive payment accounts to increase the security of your payment settings in Coupa.

How does Multi-Factor Authentication work?

MFA increases security beyond simply having a password. Once MFA is turned on, you can use your Coupa password and a verification code every time you need to change your payment account settings. The verification code is the multi-factor authentication piece. Verification codes can be generated from your authenticator app, which is the preferred option, or sent in a text message to your registered mobile phone.

Which Multi-Factor Authentication method is recommended?

MFA through an authenticator app, for example, Google Authenticator, Twilio Authy, or Microsoft Authenticator Authy, is the preferred method. You can download one of these apps for free from the Apple App Store or Google Play.

SMS (text message) is a secondary method supported by Coupa. However, this method is available for most countries. If it is not available for your country, select a different authentication method or contact your customer for more options.

Is Multi-Factor Authentication mandatory?

MFA is mandatory with CSP payment accounts.
MFA is not mandatory with the other features of the CSP.

Which payment account updates require Multi-Factor Authentication?

Sensitive account updates, namely changes to your legal entity, remit-to, and bank account information require MFA.

Security Best Practices

To reduce the security risks to your account and organization, review the following security best practices:

  • Verify and monitor your account. Verify periodically that your account payable information has not changed. If multiple users can access your account, verify that account details are up to date. Contact us immediately either using the chat in CSP, or send an email to supplier@coupa.com if you suspect any unauthorized use of your payment account.
  • Add multiple users to your account. Other users can be notified of transactions. This visibility can protect your account in case your email, password, or device is compromised. It also ensures that your company account persists after you or other users leave your organization.
  • Use strong and unique passwords for every account. Passwords must be at least 8 characters, but can be up to 40 characters in length. We recommend complex passwords using both numbers and letters. Password managers such as LastPass or Dashlane can make it easy to keep strong and unique passwords.
  • Train your employees to regularly log out of systems so that others are not able to utilize their credentials.
  • Do not write down your account password or store it in an insecure manner.
  • Do not share passwords or verification codes. Coupa will never ask you to share passwords or MFA information. As a general rule, you should never share sensitive account credentials, such as user names, passwords, MFA codes, or recovery codes.
  • Protect your email and cloud accounts. Your email account can be compromised and taken over by malicious actors. To prevent this, consider enabling MFA or biometrics on all your accounts. Protect your online data storage accounts (for example, iCloud) with the same steps. Review security settings to confirm you have optimized your account safety.
  • Shared accounts are possible for transactions but not ideal for managing banking information. They are easy to manage but pose security risks as passwords are shared, MFA and access control is nearly impossible to implement, and user activity cannot be tracked in case of compromised information. Shared accounts also do not meet compliance requirements for HIPAA, Cyber security, and similar standards.
  • Secure your devices. Always keep your software up to date. Protect your mobile phone number by asking your provider to enable a SIM or device lock.
  • Use good judgment. The most effective way to protect yourself against scams like phishing is good judgment and common sense. If any offer sounds too good to be true, it probably is. It is okay to question, refuse, or ignore requests. Only scammers will try to rush or panic you.
  • Train your users regularly on security. Train your users on organization controls and raise awareness of phishing attack prevention.
  • Think before you click. Email can have links that can be malicious. Think twice before you click on any link.
  • Enable notifications on the platform to ensure you are notified of any suspicious activity on your account. Train your users to be vigilant about these warnings.
  • Regularly update software. Ensure that all software, including your operating system, is up to date with the latest security patches and fixes.
  • Use antivirus and anti-malware software. Install and regularly update antivirus and anti-malware software to protect against malicious software.
  • Enable multi-factor authentication. Multi-factor authentication (MFA) can be enforced for all user logins, in addition to payment account updates such as changes to your legal entity, remit-to, and bank account information. Enabling MFA is quick and easy as shown on the Manage Multi-Factor Authentication page, or follow the instructions on your Account Settings page in the Security & Multi Factor Authentication tab.