Ultimate Guide to NetSuite Two-Factor Authentication

What is Two-Factor Authentication?

Two-factor authentication (2FA) is a method of confirming users’ identities with a combination of two different factors: 1) something they know and 2) something they have. A good example of two-factor authentication is to supplement a user-controlled password with a code generated or received by a device that only the user possesses. 2FA is a security measure that enforces a secondary level of security which protects your NetSuite account from unauthorized access.

NetSuite 2FA requires the following to access your account:

  1. User credentials.
  2. A verification code supplied by one of the following:
    1. An approved 2FA application that complies with OATH TOTP.
    2. A phone verification code via SMS or voice call.
    3. A verification code from provided during 2FA setup.

What do you need to know?

NetSuite requires 2FA for all highly privileged roles in order to access production, sandbox, development, and release preview accounts. When users who require 2FA login they will be guided through a process for setting up both primary and secondary authentication methods.

The following permissions require 2FA:

  1. Access token Management
  2. Two-Factor Authentication base
  3. Setup of OpenID
  4. Setup SAML
  5. Integration Application
  6. Device ID Management
  7. Any access via API, SuiteTalk (WebServices), and RESTlets

Roles that do not include these permissions are not required to use 2FA to access your account.  Administrators can define which roles require 2FA by navigating to Setup > Users/Roles > Two-Factor Authentication Roles.

Setting Up Your 2FA

Users who require 2FA must complete their initial setup by login in via their your computer. While users can log in with 2FA via their mobile device, it is not possible to perform the initial setup with a mobile device. The first time a user with access to a role requiring 2FA logins in they will be shown a “Security Setup”.

First, a user will need to select their primary method for receiving their 2FA verification codes.  A user will be prompted to select from an Authenticator App (recommended) or SMS/Voice Call.  If a user has selected to utilize the authenticator app the user will need to download an approved app.  When prompted by the app the user must scan the QR code displayed on the setup screen.

Recommended 2FA apps:

  1. Google Authenticator
  2. Microsoft Authenticator
  3. OKTA Verify

The Authenticator app will then generate verification codes for NetSuite access.  The codes expire after 30 Seconds and a new code will be promptly displayed.

Users must set up a secondary method to receive codes in the event that they are not able to access their primary method of authentication.

After users have established both a primary and secondary authentication process the system will provide users with ten backup codes.  These unique backup codes can be used to access the NetSuite application in the case that users are not able to receive a verification code. It is critical to save these codes in a place that will be easy to remember and access. Each code is valid for single use.

After a user has completed the 2FA setup, the “Rest 2FA Settings” and “Generate Backup Codes” link will appear under the settings portlet on the user dashboard.  To locate this portlet, navigate to the dashboard by clicking on the house and scrolling down.  The portlet will look like the one below:

Resetting your 2FA settings

A user can reset their 2FA settings from the settings portlet discussed above on the user’s home dashboard.  On the reset 2FA settings page, a user may be requested to enter their NetSuite password or enter an authorization code.  You will then need to click the “Reset” button.

A confirmation screen will appear and as the user, you will need to confirm that yes you do want to reset your 2FA process.  By doing this you will be resetting any setting you currently have in place.  If you are unable to proceed or encounter an error, contact your administrator so that they can reset these setting on your behalf.