Multi-Factor Authentication
Multi‑Factor Authentication (MFA) provides an extra layer of protection for your Onventis Buyer account. When MFA is enabled, you will log in using two different factors: your password (something you know) and a verification code sent to your email (something you have). One‑time passwords (OTPs) are valid for only a single login session and help defend against unauthorised access.
The following guide explains what MFA is, how to enable it for your organisation and how to use it when signing in. It also covers how to resend codes and troubleshoot common issues.
1. What you need
An Onventis Buyer account with administrator rights to configure organisational settings.
Access to the email inbox for the user who initiated the login process.
No additional hardware or mobile apps are required. The verification code is delivered via email.
2. Enabling MFA for your organisation
Only organisation administrators can enable MFA. To do so:
Check your permissions: Navigate to Master Data Management → User roles, select your role and ensure you have the rights to edit organisational settings. If you cannot see the MFA option, please contact your Onventis sales contact or customer support.
Open organisation settings: Go to Configuration → Organisation settings. A new tab labelled Multi‑Factor Authentication is available.
Activate MFA: Click the tab and toggle the setting to On. There are no further options to configure; code length, expiry time and retry attempts are fixed by Onventis.
Save changes: Just close the tab and everything is saved. MFA is now active for all users in your organisation who log in via the internal login form. Single sign‑on (SAML) and impersonation logins are not affected.

3. Signing in with MFA
Once MFA is enabled, the login process is as follows:
Enter your username and password. If the credentials are correct, the system will send a six‑digit verification code to the email address associated with your user account. For security reasons, the code is valid only for your current login session.
Check your inbox. The subject line of the email is “Your Login Verification Code.” The email contains the six‑digit code and explains that it can be used only once. Delivery typically takes around 60 seconds depending on your mail provider.
Enter the code. You will see six input boxes on the MFA page. Type the digits exactly as they appear in the email. If you copy the code, the system will automatically paste each digit into the correct box.
Automatic verification. As soon as you enter the last digit, the system checks the code. If it is correct, you are redirected to your dashboard. You do not need to click a separate submit button.
Invalid codes. If the code is incorrect, you can try again. You have up to three attempts. After three failed attempts, the code becomes invalid and you must request a new one using the Resend code button.




What if I didn’t receive the email?
Check your spam or junk folder. The email comes from the same sender as other Onventis notifications.
Ensure that your email inbox is working and that your mailbox is not full.
Wait at least 60 seconds. Delivery times vary by provider.
If you still haven’t received the code, click Resend email. The old code will be cancelled and a new one sent. Note that you can only click Resend once every 60 seconds.
4. Interaction with single sign‑on (SAML)
If your organisation uses SAML‑based single sign‑on, the email MFA described here does not apply. Authentication and multi‑factor enforcement are handled by your external identity provider. Users continue to access the system via the SSO start link provided in the SAML configuration. istrators can choose to enable both SSO and normal UI logins; MFA applies only to the normal UI login.
5. Security tips
Use a strong, unique password for your Onventis account. MFA is an additional layer, not a replacement for a good password.
Do not share your verification code with anyone. Scammers may attempt to trick you into giving them your code. If you did not initiate the login, do not enter the code and change your password immediately.
Consider enabling multi‑factor authentication on your email account as well. If someone gains access to your email, they can intercept verification codes.
6. Getting help
If you encounter problems enabling MFA or logging in, please contact your organisation administrator or Onventis support. When submitting a support ticket, include your username, organisation name and a brief description of the issue (e.g., “code not received,” “code invalid after first attempt,” etc.).
7. Frequently asked questions
Can I change the number of digits or the validity period of the code?
No. The current implementation uses a fixed six‑digit code and it is valid only for the current login session.
Do I need to install an authenticator app?
No. The verification code is sent via email. A mobile app or hardware token is not required.
Does MFA apply when I use single sign‑on (SSO)?
Email MFA applies only to the internal login form. If you log in via SSO, your external identity provider is responsible for MFA enforcement.
What happens after three failed attempts?
If you enter the wrong code three times, the code becomes invalid and you must click Resend code to receive a new one. You can then attempt to log in again with the new code. There is a 60‑second cooldown between resend actions.