TAC Logo

What You Need to Know About NetSuite Two-Factor Authentication

NetSuite Two-Factor Authentication

What is Two-Factor Authentication?

NetSuite Two-Factor Authentication, commonly referred to as “2FA” is a security safeguard offered with the Application. It empowers companies using the NetSuite application to introduce an extra layer of security protection within their accounts.  By establishing active security measures 2FA can protect your company against unauthorized access and potential exposure of sensitive and confidential information. Starting from the 2018.1 NetSuite release, 2FA is mandatory requirement within all NetSuite Accounts for roles with privileged permissions. 

Additionally, Two-Factor Authentication not only provides additional security and protection but is also cost-effective, as it comes at no additional cost. There’s no need for special tokens, and the process requires minimal maintenance, making it convenient and hassle-free choice to enhance your account security.

Two-Factor Authentication requires that administrators and/or users with specific permissions log into the NetSuite application and complete the following details.

  1. Their user credentials (email/password)
  2. Verification code supplied by one of the following: (all codes are good for a single login)
    1. An approved 2FA application that complies with OATH TOTP. These types of apps generate a time-based verification code for each login that a user attempts.
    2. Verification codes from a list of backup codes provided during 2FA setup.

What should Administrators and Super Users know?

NetSuite mandates Two-Factor Authentication (2FA) for all administrators and individuals with high-privilege permissions when accessing NetSuite. This requirement encompasses access to production, sandbox, development, and release preview accounts. Note that all Administrators and specified roles are automatically designated as 2FA-required, and this cannot be altered or changed. Below are details required for those designated roles.

The implementation of NetSuite Two-Factor Authentication is a user-friendly, self-service process. When a user with 2FA-required permissions logs in for the first time, they are guided through the setup of primary and secondary authentication methods. Importantly, 2FA integrates with all non-customer center roles, including contacts, ensuring comprehensive security across the board.

NetSuite currently supports and/or recommends the following four smart phone apps:

  1. Oracle Authenticator
  2. Google Authenticator
  3. Microsoft Authenticator
  4. OKTA Verify

NetSuite offers support for a wide array of applications that adhere to industry-standard security protocols. Specifically, NetSuite integrates with apps compatible with OATH TOTP (Time-based One-time Password) and IETF (Internet Engineering Task Force), where OATH signifies the Open Authentication initiative.

Permissions that require 2FA

In the 2018.2 NetSuite release, a mandatory requirement was introduced for all roles that utilize administrative permissions. These permissions are:

  1. Access token Management
  2. Two-Factor Authentication base (this is a permission that designates roles as 2fa)
  3. Device ID Management
  4. Integration Application
  5. Setup of OpenID (Single Sign-On)
  6. Setup SAML (Single Sign-On)


For users or roles without the specified permissions, the option to remove the enforced Two-Factor Authentication (2FA) requirement is available. To facilitate this process, administrators can follow these steps:

  1. Go to the “Setup” menu.
  2. Select “Users/Roles.”
  3. Navigate to the “Two-Factor Authentication Roles” section.
  4. Locate the role for which you want to disable 2FA.
  5. In the dropdown menu, select “Not Required” to deactivate the 2FA requirement.


This streamlined procedure ensures that administrators can efficiently manage and customize 2FA settings based on specific user and role needs.

2FA Roles

As an administrator, you have the ability to adjust the 2FA requirement based on a designated timeframe as seen in the screenshot above. While it’s not possible to remove this permission from your user role, you can configure the system to prompt you for 2FA only at specified intervals.

It’s important to note that the mandatory 2FA requirement extends beyond the user interface (UI). It encompasses all non-UI access to the NetSuite application, including Application Programming Interfaces (APIs), SuiteTalk (WebServices), and RESTlets. Access methods utilizing user credentials for API purposes will encounter authentication failure if 2FA is triggered.

Configuring Initial 2FA

Users who require Two-Factor Authentication (2FA) must initiate their initial setup within the NetSuite Application on their computer. While users can subsequently log in using 2FA via mobile access, it’s important to note that performing the initial setup from a mobile device is not supported.

First time a users with access to a role requiring 2FA logs in, they will be presented with a “Security Setup” process, guiding them through the necessary steps to enhance their account’s security.

Screenshot 2023 10 04 at 1.11.24 PM

To initiate the Two-Factor Authentication (2FA) setup process, users should begin by selecting their preferred primary method for receiving verification codes.

Previously users had the option to receive an (SMS) text message but as of March 1st 2023 users are now required to use a authentication app instead. Users can choose the Authenticator App of their choice. Once the app is installed, users should follow the app’s instructions to scan the QR code displayed on the setup screen.

The Authenticator app will then generate time-sensitive verification codes for NetSuite access. These codes have a 30-second lifespan, after which they expire, and a new code is generated and displayed for continued secure access.

Auth Verify

In addition to configuring their primary method of authentication, users are encouraged to set up a secondary or backup method. This secondary method serves as a fail-safe in case users encounter difficulties accessing their primary authentication method.

Once users have successfully set up their authentication methods, the system will furnish them with ten distinct backup codes. These backup codes serve as a lifeline for accessing the NetSuite application in situations where receiving a verification code is not feasible.

It’s important to note that each backup code is a one-time-use key. Users should exercise caution and store these codes securely to ensure uninterrupted access to their NetSuite account.

Backup Codes

Once a user has completed the 2FA setup, they will notice two additional options: “Reset 2FA Settings” and “Generate Backup Codes.” These options are accessible via the settings portlet on the user dashboard.

To locate the settings portlet, simply click on the house icon to access your dashboard and scroll down. The portlet will be easily identifiable, resembling the example provided below:


Resetting your 2FA settings

To reset your Two-Factor Authentication (2FA) settings, a user can utilize the settings portlet located on their home dashboard, as previously mentioned. Within the “Reset 2FA Settings” page, users may be prompted to provide either their NetSuite password or an authorization code.

Upon supplying the necessary credentials, users should proceed by clicking the “Reset” button to initiate the process.

Reset 2FA

Following your request to reset the Two-Factor Authentication (2FA) settings, a confirmation screen will be displayed. Users will be asked to confirm intention to proceed with the reset, fully aware that this action will reset any currently configured settings.

In the event that you encounter any difficulties or errors during this process, it is advisable to promptly contact your administrator. They possess the ability to reset these settings on your behalf, ensuring a seamless resolution to any issues that may arise. If you are experiencing any issues or have additional questions, please do not hesitate to Contact Us at TAC as we are a certified NetSuite Alliance Partner.

How TAC Can Help

Unlock the Power of NetSuite with TAC’s Certified NetSuite Consultants. With their extensive expertise, our team has successfully guided numerous clients in two-factor authentication. Whether you need clarifications or wish to schedule a call, we’re here to provide in-depth insights and discuss the full potential of NetSuite’s functionality tailored to your business. Reach out to us today and take your NetSuite experience to the next level.


More Posts you may like:

user access

The Ultimate Step-by-Step Guide to Adding NetSuite Users and Granting User Access

Welcome to TAC Solutions Groups guide on creating NetSuite users and utilizing two-factor authentication. Here you will find key details on creating users and giving user access to your NetSuite environment. We will also look at two-factor authentication, how it affects users’ experience, and how it improves the security of your system.

The Ultimate Step-by-Step Guide to Mass Deletion in NetSuite

The capability to mass delete transactional records provide increased proficiency for those seeking efficient ways to maintain data integrity. Join us as we explore NetSuite’s record management, where we will help you learn the secrets of mass deletion.

Understand Business Complexity

Our combined experiences in diverse industries provide us with unique insights allowing our NetSuite Consultants to provide solutions to multifaceted problems.It has been our experience that often times people look for the easiest solution instead of facing the problems head-on. This creates manual workaround and loss of man hours that contribute to increased labor costs to resolve systematic problems.

Request a demo

Fill out the form below and our team will be in touch shortly.