About MFA Authenticate
Multi Factor Authentication (MFA) is used to validate the token sent to the user’s mobile device via the mfaChallenge API. This API validates the challenge ID, and the token that was sent to the users mobile device. Upon success, the user’s session is marked as a trusted.
If rememberMe
is set to true, the trusted session expires in 30 days. Else, it expires when the user logs out. Use the MFA Status API to check if the session has expired.
Note:
deviceId
is indicative of the user's unique device where they receive the challenge and subsequent authentication token. It is recommended to assign a unique identifier for each user, and store this information for future reference.mfaId
response parameter will only be returned ifrememberMe
is true.
MFA login process
Login with an MFA trusted API session is a three-step process:
- Sign in with Login to generate a
sessionId
. - Create a MFA challenge ID and send a token to your mobile device with MFAChallenge.
- Validate the challenge ID and token with MFAAuthenticate. At this point, the login
sessionId
is MFA trusted.
Note: See Multi-factor authentication (MFA)/2-step verification in the Bill.com Help for more information about all the security measures in place for your Bill.com account operations.
Example
Request
<API_URL_EndPoint>/MFAAuthenticate.json
data={
"challengeId" : "!ak9txcIMmPsky0OBLE9KIZ3MtZexYcZtGo6FOCGATCYk",
"token" : "123-456",
"deviceId" : "916E333F-1BBC-4471-946D-8059DB9488B6",
"machineName" : "Bob's iPhone",
"rememberMe" : true
}
Response
data={
"response_status" : 0,
"response_message" : "Success",
"response_data" : {
"mfaId" : "!aTdAZjLbxn7-z8GiNyokJfp9ybYEKJd1KM1K2emUdvoU"
}
}
Resources
Parameters
Request parameters
Field Name | Description | Required? |
---|---|---|
challengeId | The ID that is returned after successfully calling the mfaChallenge API. | Yes |
token | the token sent to the user's device after calling the mfaChallenge API. | Yes |
deviceId | String(100) - Unique ID defined by the user to identify the MFA device. | Yes |
machineName | String(100) - Name defined by the user to describe the MFA device. | Yes |
rememberMe | Determines if the MFA ID that is returned needs to be trusted after the session ends. If set to true, the session expires in 30 days (43200 minutes). If set to false, the session expires when the user logs out. |
Yes |