EN globe icon
user icon
On This Page
  • Published on: 02 June 2023
  • Last edited on: 16 March 2026
What can we help you find? Products Coupa Product Documentation Supplier Resources For Suppliers Getting Started with the Coupa Supplier Portal Get Started with the CSP Your Account Manage Multifactor Authentication

Manage Multifactor Authentication

Multifactor authentication (MFA) is the preferred security option to protect accounts. Learn how to enable or disable it when needed, how to sign in using MFA, remember your browser while using this option and track recent activity on your account.

Multifactor authentication (MFA) is the recommended security option to protect accounts. It requires the user to provide two or more verification factors to gain access to the Coupa Supplier Portal (CSP). Some Coupa customers may require suppliers to use MFA to access their data in the CSP. 

There are several methods to enable MFA in your account: 

  • Enable MFA by using an authenticator app (recommended option)
  • Enable MFA by receiving a text message (SMS)
  • Enable MFA by email

The following content guides you through the steps for: 

  • Enabling MFA in your account
  • Track recent login activity in your account
  • Sign in to the CSP using MFA
  • Remembering browsers for MFA
  • Disabling MFA for users in your supplier account
  • Frequently asked questions (MFA) 

Enabling MFA in your account

To enable any MFA method, follow the steps below: 

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Set your preferred default MFA method by selecting the radio button under their descriptions.
    1. For Payment Changes (Required for Changing Legal Entity or Remit-To):
      MFA is required when creating or editing legal entities, remit-to, and bank account information.
    2. For Both Account Access (Login) and Payment Changes:
      MFA is required when logging in to the CSP. You don't have to reauthenticate when working with financial data because you already authenticated when logging in.
  4. Select the MFA method depending on how you want to receive the verification codes: 
    1. Option 1: Using an Authenticator App (available from the app store) on your mobile phone to generate a code.
      This is the recommended option. 
    2. Option 2: Using SMS to receive a code sent by text message to your phone number.
    3. Option 3: Using email to receive a code.
    4. Option 4: Using a passkey to sign in.

When you enable MFA, you get an email notification of the change. 

Depending on your selected preferred MFA method, you will need to follow additional steps as detailed in the sections below: 

Option 1: Enable MFA using an authenticator app

Enabling MFA via an authenticator app is the recommended option. The first time you visit the Security & Multi Factor Authentication page, the system displays a window with instructions to configure this option.

Follow the instructions on the window to configure MFA using an authenticator app: 

  1. Visit the the Google Play store or the Apple app store
  2. Search for an authenticator app.
    The recommended option is to use Google Authenticator, which is available for iOS and Android devices. See Install Google Authenticator for help with installing the app on your mobile device. 
  3. Download and install your preferred authenticator app.
  4. Open the app on your mobile device.
  5. Go to the Account Settings page. 
  6. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  7. Scan the QR code shown in the modal with the authenticator app or copy the security key to use it as the CSP authentication code.
    For most apps, select "Add" or "+" to scan the QR code.
  8. Enter the 6-digit verification code from your device in the input field on the modal.
    The code that Google Authenticator provides is good only for 30 seconds. If you don't type that code on the CSP sign-in page and click Log In within 30 seconds, you have to get a new code and try again.
  9. Select the Enable button at the bottom right of the modal. 
  10. Print your backup codes or email them to yourself before you click OK. If you ever lose your device, you need these to regain access to your CSP account.

Do not uninstall the authenticator app once the MFA set up is done: you will need the same app in future each time you encounter the MFA popup (for example when logging in or making some changes in the platform).

 Warning

Print your backup codes or email them to yourself before you click OK. If you ever lose your device, you need these to regain access to your CSP account.

Option 2: Enable MFA using a text message (SMS)

If you want to receive text message (SMS) notifications or verification codes, you must enter and validate your phone number under My Account > Notification Preferences.

This feature is only available for validated regions.

To enable MFA via text message (SMS), follow the next steps:

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Click the blue circle next to the Via Text Message option:
    Follow the instructions that appear on the next screen. 
  4. Input the phone number where you want to receive the SMS text.
    A code is sent to your phone as an SMS text message (SMS rates may apply).
  5. Confirm the Recaptcha shown in the modal and select the Send Code button. 
  6. Enter the 6-digit verification code sent to your phone in the field next to the third steps shown on screen. 
  7. Select the Enable button at the bottom right of the modal. 
  8. Save your backup codes or email them to yourself before you delete the message. If you ever lose your device, you need these to regain access to your CSP account.

After successful validation, you receive the verification code in a text message.

 Warning

Print or save your backup codes or email them to yourself before you delete the message. If you ever lose your device, you need these to regain access to your CSP account.

Option 3: Enable MFA using an email

Email is considered less secure than other MFA factors, so use this option as a last resort. To use MFA though a secondary email: 

  • All of your customers need to have activated the Allow suppliers to use Email MFA permission.
    This change may take up to 24 hours to take effect.
  • If you have several customers and one of them has not activated the option, you need to use MFA through another method. 

To enable MFA via email, follow the next steps:

  1. Go to the Account Settings page. 
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Click the blue circle next to the Via Alternative Email option.
    This option is available only if all of your customers have activated the Allow suppliers to use Email MFA permission.  
  4. Follow the instructions that appear on the next screen. 
  5. Input the secondary email where you want to receive the security code. 
    This email cannot be the same login email.
    You need access to this secondary email in order to receive the code and use it in the system.
  6. Confirm the Recaptcha shown in the modal and select the Send Code button. 
  7. Enter the 6-digit verification code sent to the email in the field next to the third steps shown on screen. 
  8. Select the Enable button at the bottom right of the window. 

Track recent login activity

At the bottom of the Security & Multi Factor Authentication page, you can also track your login activity.

  1. Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option.
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Scroll down to the Recent Login Activity section.

Your logins are listed in reverse chronological order under the Recent Login Activity section with the following information:

  • date (and time) 
  • browser
  • device
  • IP address 
  • if MFA is enabled, also the authentication type (authenticator app or text message).

By default, the three most recent logins are visible. Use the ...View More link to see up to 20 logins.

Sign in to the CSP using MFA

To sign in to the CSP using MFA, follow these steps: 

  1. Go to https://supplier.coupahost.com and provide your credentials as usual.
    The Multi-Factor Authentication window opens.
  2. Depending on your setting:
    1. Open the authenticator app on your device and choose your CSP account. Get the number that's shown.
      This application is the same one used for enabling the MFA option.If there are multiple logins set in your authentication, then ensure that the code under Coupa Supplier Portal is entered.  
      or 

    2. Open the newly received SMS text message or email that contains the verification code.
      The message is sent to the phone number or email that is registered under notification preference settings in the account.
      If no number is registered under       Notification Preferences, you will not see the button Send Code To Mobile.

      or

    3. Access the device you registered the passkey with and follow the instructions on your device.
  3. Type the authentication code in the appropriate field within the screen of the CSP log in.
  4. Click Log In.

The code that Google Authenticator provides is good only for 30 seconds. If you don't type that code on the CSP sign-in page and click Log In within 30 seconds, you have to get a new code and try again.

If you or your user are locked out and  don't have the backup validation codes, contact Coupa Support by sending an email from the registered email address, and provide the declaration form.

Remembering browsers for MFA

As a CSP user, you can use the Remember this browser option to avoid having to input your MFA credentials every time you log in. 

On login: Select the Remember this browser checkbox when entering your credentials. 

Inside the CSP: 

  1.  Go to the Account Settings page.
    You can reach this page by selecting your profile name on the top-right corner of the window, and selecting the Account Settings option. 
  2. Select the Security & Multi Factor Authentication tab on the left navigation bar.
  3. Select the Remember this browser checkbox

When you log in as a CSP user, you can select the Remember this browser checkbox on the Multi-Factor Authentication page to bypass multi-factor authentication (MFA) on your account for 30 days. 

You still need to use MFA at least every 30 days and it is still required for any payment method or legal entity changes.

Disabling MFA for users in your supplier account

Admin users now have the ability to disable MFA for the other users of the same account. If you’re part of a multi-user supplier account, and you're locked out due to MFA,  an admin within your account can now disable MFA on your behalf.

If your account has an active admin, reach out to them and ask them to temporarily disable MFA on your user account by following these steps:
Steps for the Admin User:
  1. Log in to your Coupa account
  2. Go to the Setup tab
  3. Navigate to the Users section
  4. Search for the affected user and click Edit User
  5. Scroll down and select Disable MFA
Once MFA is disabled, the locked user will automatically receive an email to reset MFA and set it up again on a new device.
Note

The reset email is valid for only 24 hours. If no action is taken before that time, the process needs to start from the beginning.

If there are no other admins in your account or if you need further assistance, feel free to contact our support team.

Frequently asked questions (MFA)

As a supplier, you can face different scenarios that require you to enable MFA. Take these into account when enabling or disabling MFA: 

  • If the customer does not have MFA as a requirement for suppliers, when they enable MFA as a requirement, then:
    • Every supplier for that customer is then required to enable MFA in order to access any of that customer's information through the CSP. 
    • Suppliers without MFA receive a message that they must enable MFA in order to transact with the customer. The message contains a link directing the supplier to the page where MFA can be enabled. The supplier requires a phone with SMS texting or an authenticator app to enable this option.
    • The customer’s Coupa Admin can set up an exception in the platform to "Exclude" a specific supplier from the MFA requirement in CSP. This supplier will have access to specific information. 
  • If a customer requires the supplier MFA and the supplier does not have MFA enabled, then: 
    • The supplier can not see customer data and is instructed to turn on MFA in order to see customer data.
    • When the supplier logs into CSP and navigates to see any customer specific information, they receive a message that they must enable MFA in order to transact with their customer. The message contains a link directing the supplier to the Account Settings page > Security & Multi Factor Authentication tab where MFA can be enabled.
  • If a customer requires the supplier MFA and the supplier has disabled or turned off the MFA option (supplier has transaction history with the customer, but no longer does business with them), then:  
    • The supplier can log into the CSP normally, however, in order to view past data or access customer-specific information with that particular customer they must enable MFA.

What is multifactor authentication?

Multi-factor authentication (MFA) is an added layer of security which makes it harder for someone else to get into your CSP account, even if they have your password.

If you try to log in from a device that we don’t recognize, for example a computer from which you have never logged in to the CSP before, we ask you to enter a verification code (the second factor) to make sure it is really you. This verification code is generated by your authenticator app or sent in a text message to your mobile phone.

If someone else is trying to log into your account, they won’t get the code, which could stop them from accessing your account.

For more information, see Manage Multi-Factor Authentication.

Why should I use multifactor authentication?

Securing your transactions is Coupa's top priority. The continuous improvements to the CSP help keep your accounts and data safe. Adding MFA to your account increases its security.

MFA is mandatory with sensitive payment accounts to increase the security of your payment settings in Coupa.

How does multifactor authentication work?

MFA increases security beyond simply having a password. Once MFA is turned on, you can use your Coupa password and a verification code every time you need to change your payment account settings. The verification code is the multi-factor authentication piece. Verification codes can be generated from your authenticator app, which is the preferred option, or sent in a text message to your registered mobile phone.

Which multifactor authentication method is recommended?

MFA through an authenticator app, for example, Google Authenticator, Twilio Authy, or Microsoft Authenticator Authy, is the preferred method. You can download one of these apps for free from the Apple App Store or Google Play.

SMS (text message) is a secondary method supported by Coupa. However, this method is available for most countries. If it is not available for your country, select a different authentication method or contact your customer for more options.

Is multifactor authentication mandatory?

MFA is mandatory with CSP payment accounts.
MFA is not mandatory with the other features of the CSP.

Which payment account updates require multifactor authentication?

Sensitive account updates, namely changes to your legal entity, remit-to, and bank account information require MFA.