Q: Does NetSuite have 2 Factor Authentication (2FA)?
Starting with NetSuite version 2018.2, two-factor authentication (2FA) is required for all login sessions using Administrator and Full Access roles in newly provisioned SDN accounts.
The 2FA enforcement was already rolled out to customer production accounts that were newly provisioned on 2018.1. All login sessions using either the Administrator or Full Access roles require 2FA. Unless specified, custom roles that do not contain 2FA-required permissions do not require 2FA during login
An exception to the 2FA enforcement was made to SDN accounts during 2018.1 to minimize disruption. This enforcement will expire starting in 2018.2, and it will be rolled out to new SDN accounts provisioned from phase 1 of 2018.2 to have a unified authentication model with the customers.
User Interface Logging:
As per NetSuite Suite Answers, For enhanced security, NetSuite 2018.2 requires two-factor authentication (2FA) for all Administrator, Full Access, and other highly privileged roles when logging to any NetSuite account. This requirement includes UI access to production, sandbox, development, and Release Preview accounts. The Administrator and Full Access roles are designated as 2FA authentication required by default, and this requirement cannot be removed. Certain highly privileged permissions mandate that a role be 2FA required by default. Any standard or customized roles that include these permissions are indicated in the Mandatory 2FA column on the Two-Factor Authentication Roles page. (Setup -> User/Roles -> Two Factor Authentication Roles)
Two-factor authentication (2FA) allows enforcement of an additional level of security for logging in to the NetSuite user interface. Using 2FA can protect your company from unauthorized access to data.
Two-factor authentication requires that users log in to the NetSuite UI with:
- NetSuite user credentials: their email address and password.
- A verification code supplied by one of the following:
- An authentication application that complies with OATH TOTP. The app generates a time-based verification code for each login. You can select an authenticator app from the vendor of your choice, as long it complies with the OATH TOTP standard. The following mobile phone apps are recommended: Google Authenticator, Microsoft Authenticator and OKTA Verify.
- A phone that can receive verification codes by Short Message Service (SMS) message or by voice call.
- A verification code from a list of backup codes.
Each verification code is a unique series of numbers valid for a limited time, and only for a single login.
Users can specify how they wish to receive verification codes when they set up their 2FA preferences.
If your administrator designated one or more of your roles as 2FA authentication required, you can use an authenticator app to obtain a verification code, or use your phone to request a code by SMS message or voice call, or use one of your backup codes
- You can decide whether you want to check the Trust this device box. For more information about this box, click one of the links to select an alternative method for receiving a code for this log in attempt. For example, click SMS message, Voice call, or backup codes.
- Your other roles are listed on the page. You can select an alternative role by clicking the Choose link to the right of the role.
You must complete the initial 2FA setup in the NetSuite UI on your computer.The first time you log in to NetSuite with a 2FA required role, you are shown the Security setup page.
To complete your 2FA setup:
Select your primary method for receiving 2FA verification codes.
Select Authenticator app (recommended). If you did not already install an authenticator app on your phone, do so now.
Select SMS or phone call if you prefer to receive verification codes on your phone. Follow the directions in Step 4.
Note: You can click Skip to NetSuite to dismiss this prompt up to five times. After the fifth time, you are required to set up an authenticator app or your phone number.
Using the authenticator app on your phone:
Scan the QR code displayed, or manually enter the string of characters shown next to the QR code.
The authenticator app generates a verification code.
Enter the verification code.
Verification codes generated by authenticator apps expire approximately every 30 seconds. Enter a new code if the initial code you receive expires.
Important: If you have entered several codes in a row that have been refused, do not keep trying codes from your app. After six failed attempts, you will lock yourself out of NetSuite. If the time on your phone or app is not properly synchronized, NetSuite will not accept the verification codes generated by your app.
You should set up a secondary method to receive codes for two-factor authentication. If you selected SMS or phone call as your primary method, follow the directions in Step 1 for an authenticator app.
Note: You can click Skip to Backup codes if you do not want to set up a secondary method for receiving codes.
Select the flag that represents the country where your phone service originates, and enter the phone number to receive your verification code for NetSuite. Your phone number is linked to the email address you use to log in to the NetSuite UI.
You only need to type the numbers. Dashes and parentheses are not required.
If you don’t see the correct country flag icon in the list, type a plus sign, your country code, and your phone number.
If you receive an error message, ask your administrator to verify that your country is supported for text messages (SMS) or voice calls. Select either the SMS or the Voice call option.
A verification code is sent to your phone. Enter the verification code.
Ten backup codes are displayed in the UI.
These unique backup codes can be used to log in to a 2FA role when you are unable to receive a verification code. Each backup code can be used only a single time.
Important: Treat backup codes as securely as you would treat a password. This is the only time these unique ten codes are displayed in the UI. You cannot retrieve these from the system after you close this window. If you lose these backup codes, you can generate new ones.
Click Print to print the backup codes, if desired.
After your 2FA setup is complete, the Reset 2FA Settings and Generate Backup Code links appear in your Settings portlet.
Non User Interface Logging:
- The mandatory 2FA requirement also applies to all non-UI access. Non–UI access means access NetSuite through an Application Programming Interface, or API. SuiteTalk (web services) , RESTlets and Inbound SSO integrations that use the mapSso operation are 3 examples of non–UI access to NetSuite. 2FA-required roles employing user credentials for API authentication will fail.
- You must make changes if you are using roles that require two-factor authentication (2FA) and employ user credentials with your RESTlets (NLAuth) or in your web services integrations.
- In 2018.2, 2FA is mandatory for Administrator, Full Access, and any role that has been granted a highly privileged permission for access to the NetSuite UI in all existing NetSuite accounts. The mandatory 2FA requirement also applies to API authentication (non-UI access) to NetSuite. 2FA-required roles employing user credentials for API authentication will fail.
- You must update the third-party application and the related integration record in NetSuite.
Suggestions for updating your integrations and RESTlets follow:
- Modify Roles: avoid using highly privileged roles that require 2FA
- If you are using an Administrator, Full Access, or any other highly-privileged role, create a new role that has only the permissions required to complete the task. Ensure that the new role does not require 2FA. Customize a standard NetSuite role, and remove unnecessary privileges from that customized role. Ensure that the customized role does not require 2FA.
- Transition to Token-based Authentication (TBA)
- If you use RESTlets: change your integration to use TBA. TBA uses OAuth instead of NLAuth.
- If you use SuiteTalk (web services): change your integration to use TBA.
- If your integration was provided by a partner or a third-party provider, contact the partner or third-party who provided the integration, and request that they make the appropriate changes.
Note: The mandatory 2FA requirement is applied only to the authentication process. Suitelets or Scheduled Scripts set to have Administrator or Full Access on the “Execute As Role” field will not be affected.