Starting from January 15, 2026, super administrators can enforce Multi-Factor Authentication (MFA) for their S-users. This new feature has been developed based on direct customer feedback and in response to the evolving security landscape, resulting in stronger protection for your user accounts.

What is Multifactor Authentication?

Multi-factor authentication, commonly known as MFA, is a powerful security measure that helps safeguard your accounts by requiring more than just a password. Instead of relying solely on something you know (like a password, PIN, or signature), MFA asks for an extra layer of verification, which could be:

• Something you have: A one-time code generated by an authenticator app on your smartphone
• Something you are: Biometrics, a fingerprint or a facial scan

By combining these different authentication factors, MFA makes it significantly tougher for attackers to break into your account. This is in fact one of the most effective ways to prevent unauthorized access and stop most data breaches.

Strengthening security with enhanced MFA Options for S-Users

Protecting critical SAP assets is crucial for our customers. Therefore, our approach to multi-factor authentication is evolving to meet this challenge. Now, super administrators can take a proactive role by enforcing MFA for S-users, while individuals still have the freedom to secure their accounts independently. This dual approach – administrator-led enforcement alongside voluntary enablement – offers the flexibility and meets modern security demands.

In the past, enabling MFA was left up to each S-user’s discretion. However, relying solely on voluntary enrollment is no longer sufficient to safeguard sensitive business information. By empowering both administrators and users, we’re making it easier to prevent unauthorized access and strengthen your organization’s security.

NEW scenario: Selective MFA enforcement by customer’s own super administrators

Now, super administrators can take a proactive role by enforcing MFA for S-users of their own company, while individuals still have the freedom to secure their accounts independently. Of course, this should be in line and aligned with the companies' own security policy.

Through the User Management Tool (UMT) in SAP for Me, super administrators have the option to activate MFA for S-users. This new feature allows administrators to: 

• Enforce MFA: Search for, filter, and select specific S-users or all of them to make MFA mandatory for their logins.
• Exclude technical users: Crucially, super administrators can exclude specific technical accounts (like those used for the BTP cloud connector) from the MFA requirement, ensuring that core business processes continue to run smoothly.

After MFA is enforced, the selected S-user(s) will receive an email notification with simple instructions on next steps and be guided through a one-time setup on their next login, ensuring a seamless and secure transition.

EXISTING scenario: Voluntary MFA enablement by the S-users themselves

The option for individual users to proactively secure their own accounts remains fully available. 

Any S-user can visit their profile page via SAP's profile management at any time to enable MFA for themselves. This has been a great option for security-conscious users who want to protect their accounts even before an administrator-led rollout.

Please note: MFA enforced by the super administrator overrides any voluntary setting previously configured by the user.