Corporate Travel Management News and Tips

Is your Company Ready for Concur’s 2-factor Authentication and Password updates?

October 5, 2023 | Blog, For Travel Managers, For Travelers, Visible

As your TMC partner, we want to proactively update you on the changes coming to your Concur online booking tool.  Please know we are here to support you with any questions you may have in the coming weeks.

SAP Concur Changes
2 Factor Authentication/Password requirements:

As a part of security features upgrade Concur plans to implement mandatory two-factor authentication (2FA) for all users who are using basic authentication (username and password) on web or mobile. Users that access Concur Travel via SSO without a password required will not be impacted by the new 2FA requirements.

Concur plans to implement this in two phases: Phase 1 on October 18 and Phase 2 on November 15.

Phase 1 (valid email address in profile NOT REQUIRED)–October 18 to November 14

  • During this time, users will receive a prompt to set up 2FA when logging in using basic authentication (username and password).
  • Although valid email address is not required for this phase, it is required effective November 15, at which time if a user doesn’t have a valid email address, they will not be able to log into Concur.

Phase 2 (valid email address in profile REQUIRED)–November 15 ongoing

  • All users must have a valid email address in the first email field in their traveler profile to receive a link to setup 2FA
  • In addition to 2FA, there will be a new password policy enhancement where users will be required to reset their passwords to be compliant with Concur’s new minimum standard.

NOTE: If you have multiple logins for Concur Travel, the enrollment process is required for each credential.

Impact to End Users:

  • End users will be required to enroll in 2FA during the sign in process beginning October 18. This will require them to have an authenticator app on their mobile phone or via browser extension.
  • After successful registration, end users will be prompted to enter a 6-digit code generated by their authenticator app. This process will be in place for all subsequent logins.
  • Concur suggests the following authenticator apps: Twilio Authy Authenticator, Duo Mobile, Microsoft Authenticator, and Google Authenticator.
  • If an end user does not have a mobile phone or does not want to download an authenticator app on their mobile phone, they can use an authenticator app on their browser such as Google Chrome or Microsoft Edge.

Action required:

  • Travel Managers should contact their IT department and confirm which authenticator app(s) end users should download ahead of time.

More information will be communicated in the coming weeks.