Concur Sign In Security Changes -Two-Factor Authentication and New Password Policy

All users who employ basic authentication (entering an SAP Concur username and password) when signing in at on web or on the mobile app will be required to set up two-factor authentication (2FA) at the time of their next sign in.

How do I setup two-factor authentication?

In addition to 2FA, there will be a new password policy enhancement; any company whose
password policies don’t meet the minimum standard will automatically be updated to the new
minimum standard. Beginning November 15, 2023 all users’ password policy
will be checked at the time of sign in and Concur will enforce us to reset with the new
policies. Both 2FA and the New Password Policy UI will occur in phases.

Why is 2FA being required in order to sign in to Concur?
2FA is a layered approach to securing your users accounts and the data they contain. When 2FA
is enabled, after entering the correct password, the user is prompted to provide the second
factor of authentication, which could be a one-time code generated by a mobile authenticator
app. This second step verifies the user’s identity before the service grants the user access. 2FA
greatly enhances the security of online accounts and is a core component of a strong identity
and access management policy. While important, usernames and passwords are vulnerable to
credential stuffing, password breaches and can be stolen by third parties. Enforcing the use of
an 2FA significantly reduces the risk of unauthorized access and increases confidence that your
accounts will stay safe from cyber criminals.

Is there an option to disable the 2FA feature?
No, there is no option to disable the 2FA feature. If you attempt to sign in using a Concur
username/password on Web or Mobile, you are required to use 2FA.

What will the end-user experience when signing in to Concur under 2FA?
After you choose an authenticator allowed by your company IT policy, you will be asked to enter
the 6-digit code generated by the authenticator app. This will be required for every subsequent
login. Please note that a browser version is available for users on corporate phones with security
limitations on downloading new authenticator apps. If downloading authenticator apps on the
corporate phone are not permitted, user is free to download an authenticator app on their
personal mobile device as well. The following is a list of authenticator apps: Google, Microsoft,
Twilio, and Duo.

Why will SAP Concur be enforcing new password policies ?
Concur is raising the benchmark on minimum password requirements and setting new baseline to ensure your company has the best security posture against cyberattacks.

Why has SAP Concur decided to roll this out in such an urgent fashion with little
SAP Concur is releasing 2FA in October as that is when it is technically ready and to ensure
they are adding additional security to our customer’s accounts. Security is one of SAP’s top
concerns and they want to ensure our customer data is safe.
There are more than 24 billion username and passwords on the dark web as of June 2022.
Hackers are getting smarter every day and username/passwords are vulnerable to risk of
unauthorized access, brute force attacks, and various cyber threats, such as phishing, credential
stuffing, and password breaches. This can lead to sign in credentials being stolen by third
parties. Enforcing the use of a 2FA significantly reduces the risk of unauthorized access and
increases confidence that your accounts will stay safe from cyber criminals.
The rollout may be fast, and while not perfect, slowing down the release is not an option. They
are an agile company and are still working through the rollout pieces based on customer
feedback. It costs SAP millions of euros to deal with 1 security incident and per the ISBN
Security team they need to lower the risk of the incidents. Their reputation is a valuable asset, and
if a security incident happens, it can tarnish their image in the eyes of their customers, partners,
and the general public. They know that your confidence in their ability to safeguard your data is
crucial. They want to reassure you that they are investing in stronger security measures and
continuously monitoring and improving the systems.

Who is NOT impacted by the Two-factor Authentication (2FA) change?
Users that authenticate via Single Sign On (SSO) will not be impacted. SSO is a Concur cost feature, contact ETC to inquire about current pricing.