Multi-factor authentication (MFA)/2-step verification is a security process that requires more than one method of authentication from independent credentials to verify your identity.
Multi-Factor Authentication adds an additional layer of security to your Bill.com account by requiring not only a username and password to log in, but also an additional code sent to your phone. This makes it extremely difficult to break into a Bill.com account.
Be sure to set up a backup number or use Google Authenticator as a backup method just in case!
Jump to:
- Set up MFA/2-step verification
- Set up a backup phone number
- Use Google Authenticator as backup
- Use an international phone number for MFA/2-step verification
- Other ways to receive codes
- When MFA/2-step verification is triggered
- Disable and enable MFA/2-step verification by role
- Change your MFA/2-step verification phone numbers
- Troubleshooting MFA/2-step verification
- What to do if you no longer have access to the phone number
- What to do if you can't login
- Things to know
Set up MFA/2-step verification
When you create a Bill.com account, we request a phone number to use for MFA/2-step verification.
- Enter a mobile or landline phone number to receive security codes
- Select whether to send security code by text or phone call
- Click Send code
- Enter the security code you receive
- Select Trust this device for 30 days to require a security code less often
- Click Submit
Set up a backup phone number
We highly suggest having a backup method for MFA/2-step verification in case you no longer have access to your primary phone number.
- Click Settings
- Click Security under You
- Click Enter your backup phone
- To edit the backup phone number, click Change Backup 2-Step Verification
- Click Next to send a security code on your primary phone number and authorize the change
- Enter the security code you receive
- Select Trust this device for 30 days to require a security code less often and click Submit
- Enter your backup phone number
- Select whether to send security code by text or phone call and click Submit to receive a code on the backup phone number to confirm the change
- Enter the security code you receive and click Submit
- Click Finish
Use Google Authenticator as backup
You can also use Google Authenticator for your backup MFA/2-step verification method.
This feature is not available on subscription free basic accounts, please upgrade your account to use it.
- Download the Google Authenticator app from your device's mobile store
- Open the app and tap Begin
- Tap Scan a barcode
- In Bill.com, click Settings > Security and click Add Backup 2-Step Verification
- Click Google Authenticator
- In the Google Authenticator app, scan the barcode in Bill.com
- Google Authenticator app will then generate the first code - enter that code in Bill.com
- Click Submit
Codes are regenerated every 30 seconds in Google Authenticator. You must enter the code and click submit in Bill.com before the 30 seconds is up. If you get an error when entering a code, wait for the next code to be generated and be sure to enter and click submit in Bill.com before the timer runs out.
Use an international phone number for MFA/2-step verification
MFA/2-step verification supports text codes to all US and international cell phone numbers. Codes via phone call are only available to cell phone numbers from the US and Canada.
- Be sure to include "+" followed by your country code when entering your phone number so that it will be accepted. For example, phone numbers from England would be formatted as +4401234567890
- Enter your phone number with no spaces
- There are some limitations to sending SMS messages to mobile devices in India. For more information: Limitations sending SMS messages to Indian mobile devices.
Other ways to receive codes
If you don't have a mobile phone or landline to receive MFA/2-step verification codes, you can use these alternatives:
- Google Voice
- Skype
- Skype is widely available in multiple countries: Skype availability by country
When MFA/2-step verification is triggered
You will be prompted with a text or a voice message to enter a code upon logging in to Bill.com.
Checking the Trust this device for 30 days box when you enter a code will reduce the need of a code to every 30 days.
Note: Even on devices that you have marked as trusted, these other actions also prompt MFA/2-step verification codes:
- Changing your password
- Changing your phone number(s)
- Switching to a different browser
- Changes to your browser, such as:
- Disabling browser cookies, using a cookie management extension or clearing browser data
- Changing the browser supported language, i.e.: adding a new language
- Upgrading to a different version of the browser
Disable and enable MFA/2-step verification by role
To have more control over the security of your account, you can disable or enable MFA/2-step verification for certain user roles. MFA/2-step verification is enabled by default for all roles, and you cannot disable MFA/2-step verification for any users with a role that requires MFA/2-step verification.
Default roles
User roles with limited permissions and limited risk no longer require MFA/2-step verification. The default user roles that require MFA/2-step verification are:
- Admin
- Accountant
- Clerk
- Payer
Custom roles
If you create a custom role, the permissions that require MFA/2-step verification if added to that custom role are:
- Pay approved bills via Bill.com
- Pay unassigned bills via Bill.com
- Pay unapproved bills via Bill.com
- Manage Vendors
- Manage Customers
- Manage Company Info
- Manage Credit Cards
- Manage Users
- Manage Roles
This feature is not available on subscription free basic accounts. Please upgrade your account to access additional features.
Enabling or Disabling 2-step verification
- Click Settings
- Click Roles
- Click Yes to enable or No to disable under 2-step verification
- Roles that require MFA/2-step verification will not have a toggle, you will see Required for this role instead. MFA/2-step verification cannot be disabled for these roles.
Change your MFA/2-step verification phone numbers
You can change your primary or backup phone number for MFA/2-step verification in your Bill.com account. You will need access to the current phone number in order to receive a code to authorize the change.
If you no longer have access to your primary or backup phone numbers, click Contact Us at the top of this page for assistance.
Each user must follow the steps below to change their own phone numbers. You cannot change the phone number for another user.
Changing your primary or backup phone number:
- Click Settings
- Click Security under the You section
- Click Change Primary 2-Step Verification or Change Backup 2-Step Verification
- Click Yes to confirm that you wish to delete and add a new MFA method (phone number)
- Select phone number from dropdown to receive code to authorize the change
- If you don’t see your phone number, click Contact Us at the top of this page for assistance
- Select whether to send security code by text or phone call
- Click Send code
- Enter the security code you receive
- If you need to resend a code, click Send a new code
- Click Submit
- Enter the new phone number
- Select whether to send security code by text or phone call
- Click Send code
- Enter the security code you receive
- If you need to resend a code, click re-send code
- Click Submit to save your new primary or backup phone number for MFA
Troubleshooting MFA/2-step verification
Codes are not being received
- Always use a direct line, codes cannot be routed through an extension
- You may need to restart your device
- If your phone is unable to receive codes, please try using the alternate options
- If you received the error message "We can no longer send a code - You‘ve reached the maximum attempts for sending a code to one of your devices," the code has been sent three (3) times, which is the maximum per session. Please log out of your account and then log in again to request a new code.
- Add a backup phone number before you leave the country. MFA/2-step verification may not be available outside the United States if your device will not receive calls or text messages while out of the country.
- If you no longer have access to your primary or backup phone numbers, click Contact Us at the top of this page for assistance.
- Customer Support can check to see if the codes are being sent. Click Contact Us at the top of this page if the suggestions above don't help.
Prompted for a security code after selecting trust this device
If you are being prompted for MFA/2-step verification codes often, after selecting to trust your device for 30 days, follow these steps to resolve:
- Save our domain (Bill.com) as a trusted website on any site blockers or ad blockers
- Examples of some site/ad blockers:
- AdBlock Plus
- Freedom
- StayFocused
- Limit
- Poper blocker
- PrivacyBadger
- Examples of some site/ad blockers:
- Remove all trusted devices listed under your user profile
- Click Settings
- Click Security under You
- Click Remove next to each device listed under Trusted Devices
- Sign out of Bill.com
When you sign in again, we will prompt an MFA/2-step verification code. Enter the code you receive and select Trust this device for 30 days.
What to do if you no longer have access to the phone number
If you can't access your primary or backup phone numbers, or you are not receiving codes after trying these tips, submit a request to reset your access using the 2-step Verification Access Request form.
What to do if you can't login
If you are having trouble logging into Bill.com, please see the Trouble logging in to Bill.com article for helpful tips.
If you can't login because you don't have access to your primary or backup phone numbers to receive codes, submit a request to reset your access using the 2-step Verification Access Request form.
Things to know
- It is best practice to not share phone numbers or use another person's phone number for MFA/2-step verification
- Click Trust this device for 30 days to reduce the number of MFA/2-step verification code prompts
- Do not select the Trust this device for 30 days box when working on someone else's computer or logging in from a public location (like a library computer)