Multi-factor authentication (MFA) is a security process that requires more than one method of authentication from independent credentials to verify the user’s identity. At Bill.com, MFA was implemented with a "light touch." The design is unique to Bill.com, securing access to Bill.com accounts by both login credentials and phone verification codes.
Primary phone number
As a part of the setup process, users will be asked to enter a phone number. This phone number should be one that you have access to when you will be logged in to Bill.com. It needs to be a direct line to a live person. The call cannot be routed through an automated phone routing service.
Once MFA is enabled, you will be prompted with a text or a voice message to enter a code upon logging in to Bill.com, when changing your password, or when changing your phone number. Checking the "Trust this computer" box when you enter a code will reduce the need of a code to every 30 days, except when changing your password or phone number(s).
Backup phone number
We strongly recommend that you also add a secondary phone number to the MFA security setup. This will allow you to maintain secure access to the Bill.com account if the primary phone is unavailable.
Things to know
- Your Bill.com account is very powerful. It can move money to and from the vendors and customers in your account. Should someone obtain the login credentials of any of users on your account, you want to know that they won't be able to "do damage" by transferring your money to or from accounts where it doesn't belong. The MFA feature helps to ensure that only the users with verified access through the MFA phone numbers will be able to complete actions such as these.
- We've done our best to implement MFA in such a way that it is not a burden for you and the other users on the Bill.com account. We know most of our customers log in to Bill.com every day and don't want extra steps in their daily process. We strived to balance ease of access with the need for strong security designed to keep the bad guys from accessing your account.
- It is best practice to not share numbers or use another person's phone number for MFA
- Approver users do not need to set up MFA unless an admin has requested that approvers have MFA enabled, but Approvers will be prompted for a phone number, and sent a code, when resetting their password