Generate an MFA challenge ID and send a token to your mobile device registered with BILL.
Using /MFAChallenge.json
is step two of signing in with an MFA trusted API session.
Multi-Factor Authentication (MFA)
There are four protected endpoints require MFA for login with a trusted API session.
- Invite a vendor (not in the BILL network) with
/SendVendorInvite.json
- Invite a customer in the BILL network with
/SendInvite.json
- Add a vendor bank account with
/VendorBankAccount.json
- Pay a vendor in the BILL network with
/PayBills.json
Note: See Multi-factor authentication (MFA)/2-step verification in the BILL Help Center for more information about all the security measures in place for your BILL account operations.
Sign in with an MFA trusted API session is a three-step process.
- Sign in to generate a
sessionId
value with/Login.json
. - Generate an MFA challenge ID with
/MFAChallenge.json
. When you call/MFAChallenge.json
, a token is sent to your mobile device registered with BILL. - Authenticate the challenge ID and token with
/MFAAuthenticate.json
. At this point, thesessionId
(from step one) is MFA trusted. Note that themfaId
token expires at end of the current session or when you sign out.
Maintaining MFA for 30 days
In step three of the MFA process, if you set rememberMe
as true
in your /MFAAuthenticate.json
request, the mfaId
value is marked as trusted for 30 days. For these 30 days, set deviceId
and mfaId
as additional fields when you sign in (/Login.json
).