Two-factor authentication

Two-factor authentication

You can activate two-factor authentication (2FA) in the Tipalti Hub and/ or Supplier Hub to provide users and payees with additional security. Please submit a request to our Support Team to set up 2FA.

2FA is required to log into your Tipalti accounts to ensure compliance and security and it cannot be disabled.

Once 2FA is activated, new users logging into the Tipalti Hub need to enter their country and mobile number in the first step of the verification process. A code is then sent to the registered phone number. Users type the code into the second verification screen to enter the Tipalti Hub.

When users next access the Tipalti Hub, only step 2 needs to be completed.

Step 1

2FA step 1

Step 2

2FA step 2

If you need to reset activation of a user's 2-step verification (e.g., if the user moves to a different country or changes the contact phone number), refer to Reset 2FA verification.

  1. Once 2FA is activated, payees log into the Supplier Hub as usual.

    2. Supplier Hub login page

  2. Payees are prompted to provide a phone number for 2FA. The system then sends a text message containing a verification code to the payee's phone. If the payee's plan or phone carrier does not allow text messaging or the phone is considered a landline, the payee receives a phone call instead of a text. Payees receive messages/ calls in the local language.
  3. Payees enter the code on-screen and click "Verify". The next time payees log in, they only need to enter the code that is texted to them, unless they previously selected the "Remember this device for 30 days" check box. In this case, they will not be required to enter the verification code for the next 30 days.

    4. Supplier Hub 2FA

2FA protects you and your payees against fraud and it cannot be disabled.

  1. Payees receive an invite to register in the Supplier Hub.

    2. Email invitation to register in the Suppliers Portal

  2. They complete the registration screen.

    3. Supplier Hub registration page

  3. Payees then log into the Supplier Hub.

    4. Supplier Hub login page

  4. Payees are prompted to provide a phone number for 2FA. The system then sends a text message containing a verification code to the payee's phone. If the payee's plan or phone carrier does not allow text messaging or the phone is considered a landline, the payee receives a phone call instead of a text. Payees receive messages/ calls in the local language.
  5. Payees enter the code on-screen and click "Verify". The next time payees log in, they only need to enter the code that is texted to them, unless they previously selected the "Remember this device for 30 days" check box. In this case, they will not be required to enter the verification code for the next 30 days.

2FA protects you and your payees against fraud and it cannot be disabled.

They can use a virtual number such as Google Voice or a Skype number to get the verification code. Click each option below to see more details.

Payees can follow these steps to set up Google Voice.

  1. Go to voice.google.com (anyone with a Gmail email address has access).
  2. Sign in or download the app onto your device.
  3. Go to "Settings".

    4. Google Voice settings

  4. Use the phone number provided by Google for the Supplier Hub 2FA workflow.

Google Voice only works for personal Google Accounts in the US and Google Workspace (formerly G Suite) accounts in select markets. Text messaging is not supported in all markets.

Payees can follow these steps to start receiving SMS messages in Skype.

  1. Go to the Skype number page and select the country in which you wish to purchase a Skype number.
  2. Set up your Caller ID to use your Skype number.
  3. Use the Skype number provided for the Supplier Hub 2FA workflow.

Only US Skype numbers can receive SMS messages.

Tipalti can provide the code directly. The payee needs to inform the payer of the issue so that the payer can verify the payee. Then, both the payer and payee need to contact our Support Team to coordinate a joint call. During the call, Tipalti gets the code directly from the 3rd-party vendor and provides it to the payee.

In addition to the 2FA mechanisms described above, you can activate an extended 2FA mechanism in the Tipalti Hub/ Supplier Hub/ iFrame that will be triggered upon any changes made to a payee’s payment method details.

Once the payee accesses the Payment Method tab, the existing payment method details will be masked. If the payee's payment method is changed (when clicking "Next"), a code is sent to the registered phone number. Users should type the code into the second verification pop-up to save the changes.

This feature is applicable to payees accessing the iFrame and Supplier Hub, as well as payer users who log in as payees via the Tipalti Hub.

Tipalti Hub

When enabled, 2FA will be required upon each login for payer users with the following roles, and the "Remember this device for 30 days" check box will not be available:

  • Add Payee

  • View Secure Details

  • Update Payee

  • Payee Reviewer

  • View Balance

The following image shows the 2FA pop-up that displays for payer users who log in as payees (user roles: Update Payee Payment Details, Payee Payment Details Administrator) and change the payment method.

2FA for Tipalti Hub users logging in as payees

If the payee is already registered with 2FA in Tipalti, the payee’s approval and verification is required before making the change. The code will be sent to the payee, and the payer will need to submit it on the payee's behalf.

Payee approval dialog

Supplier Hub

After registering for 2FA on the login page, when the user changes the payment method details, 2FA is triggered when clicking "Next", in order to save the changes.

iFrame

Payees are prompted to provide a phone number for 2FA when the iFrame is displayed for the first time. The system then sends a text message containing a verification code to the payee's phone. If the payee's plan or phone carrier does not allow text messaging or the phone is considered a landline, the payee receives a phone call instead of a text. Payees receive messages/ calls in the local language. The 2FA registration step will not be triggered again after the registration. If a user needs to reset activation of a payee's 2-step verification (e.g., if the payee moves to a different country or changes the contact phone number), refer to Reset 2FA verification for registered payees.

2FA for payee payment change in the iFrame

When the payee changes the payment method details, 2FA is triggered when clicking "Next", in order to save the changes. Payees type the code into the second verification screen to enter the iFrame.

2FA protects you and your payees against fraud and it cannot be disabled.

Tipalti supports several SSO providers, select the provider below to view the instructions on setting up 2FA.

Prior to setting up the 2FA, you need to set up Google Workspace as an SSO provider for the Tipalti app.

To set up 2FA:

  1. In the "Admin console" page, go to Security > Authentication > Login challenges.
  2. On the left, select the organizational unit where you want to set the policy.

    3. For all users, select the top-level organizational unit. Initially, organizational units inherit the settings of its parent.

  3. Click "Post-SSO verification".
  4. Select "Logins using SSO are subject to additional verifications (if appropriate) and 2-Step Verification (if configured)".

    5. Google creates an entry in the Admin audit log to indicate the policy change. With the new policy, Google can present risk-based authentication login challenges and 2-Step Verification if it’s configured. The default is to bypass additional verification.

  5. On the bottom right, click "Save".

For additional information, see Protect Google Workspace accounts with security challenges.

Prior to setting up the 2FA, you need to set up Okta as an SSO provider for the Tipalti app.

An Okta admin can configure MFA at the organization or application level. If both levels are enabled, end users are prompted to confirm their credentials with factors when signing in to Okta and when accessing an application.

For additional information, see MFA factor configuration.

Prior to setting up the 2FA, you need to set up OneLogin as an SSO provider for the Tipalti app.

In order to use multi-factor authentication with OneLogin, you must enable one or more authentication factors for your OneLogin account. You can also create multiples of the same factor (remember to name them descriptively) for different audiences, such as partners or new business units.

  1. Log in to your OneLogin account as an Administrator.
  2. Go to Security > Authentication Factors.
  3. On the "Authentication Factors" tab, click "New Auth Factor".
  4. Select an authentication factor and click "Choose".

    5. OneLogin provides a number of authentication factors including OneLogin Protect, OneLogin Security Questions, and others such as Google Authenticator and Yubikey.

    As of May 2019, Duo, Symantec VIP, RSA SecurID, and Yubikey allow multiple instance creation. OneLogin Protect, SMS, Voice, and security questions do not, and support for those will follow in subsequent releases.

  5. Enter your client account information and name the factor, especially if you configure multiple Yubikeys or multiple Duo instances.

For additional information, see Enabling Authentication Factors.