Defining roles for your users to access NetSuite is one way of controlling who can reach your data.
The roles and permissions put in place, however, are only going to be effective if you can govern who is using them.
One tool in place to help you do that is NetSuite two factor authentication (2fa). With 2fa you add an additional level of security, protecting your data and controlling access.
NetSuite two factor authentication is now mandated for Administrators and users with certain levels of access. It can also be activated for other users as needed.
Setting up and using two factor authentication is as quick and easy as you could hope for so from an access controls perspective there’s really no reason not to activate it for all users.
Below I will explain how to configure, use and trouble shoot 2fa.
What is NetSuite Two Factor Authentication
NetSuite two factor authentication is an additional layer of security preventing unauthorized access to the system. 2fa requires users to relay a unique 6 digit code provided to them via an authenticator application.
|NetSuite used to support 2fa via SMS or voice call as well however support for this ends in NetSuite release 2024.1.
Various authenticator applications can be used including, but not limited to, the following –
- Google Authenticator
- Oracle Authenticator
- Microsoft Authenticator
- OKTA Verify
A single use, unique code is provided by the app for each log in session. Each code has a 30 second life span, after which a new code will be provided.
There is no additional cost to start using NetSuite two factor authentication. There is also no licensing requirements or tokens.
Once 2fa is activated for a user it will apply to all roles, environments and accounts that user has access to.
Mandated Two Factor Authentication
Although two factor authentication can be turned on for specific roles, it is also mandated for Administrators and roles with certain permissions. Roles that fall in to this category cannot have 2fa turned off.
Permissions that result in mandatory 2fa are as follows –
- Access Token Management (for Token-based Authentication)
- OAuth 2.0 Authorized Applications Management
- Core Administration Permissions (see Core Administration Permissions in the Oracle Help Center)
- Two-Factor Authentication base
- Set Up OpenID Connect (OIDC) Single Sign-on
- Set Up OpenID Single Sign-on
- Set Up SAML Single Sign-on
- OIDC Provider Setup
- Integration Application
- Device ID Management
- View Unencrypted Credit Cards
- View Unencrypted ACH Account Numbers
Designating Two Factor Authentication Roles
Roles that do not have mandatory 2fa assigned by NetSuite, can still have it activated by an Administrator or user with the Two-Factor Authentication base permission.
Navigate to Setup > Users/Roles > Two Factor Authentication Roles. From this page 2fa can be set as a requirement on all desired roles.
Setting up NetSuite Two Factor Authentication
2fa is configured the first time a user logs in using an eligible role.
After entering the username and password, the user will be directed to a set up screen in which they must enter a single use code emailed to them. Upon successful entry of this code they will be guided through the 2fa wizard.
A QR code is provided that can be scanned, or alternatively the 32 digit key can be entered in to the chosen authenticator application. The authenticator app will then display a one time, 6 digit, verification code.
Once the authentication app has been set up, NetSuite will provide 10, single use, backup codes. These should be stored somewhere safe and only used in case of an emergency.
Resetting Two Factor Authentication in NetSuite
If a users two factor authentication set up needs to be reset it can be done in one of two ways – by the user (if they are logged in) or by an Administrator.
An Administrator can reset a users 2fa by navigating to Setup > Users/Roles > User Access Reset Tool. Enter the email address of the user that needs their two factor authentication reset. Check the Reset 2fa Settings box and Save.
The next time the user logs in to NetSuite they will need to run through the 2fa wizard again.
A user can also reset their own 2fa if they are logged in to NetSuite.
Every NetSuite dashboard has the Settings portlet. Locate the Settings portlet and click Reset 2fa Settings.
You will be prompted to enter your NetSuite password and a verification or backup code. Finally click Reset.
The next time you log in to NetSuite you will need to run through the 2fa wizard again.
Managing Trusted Devices
When a user is prompted to enter a verification code for two factor authentication, they have the option to check a box marked Trust this device for 30 days. When this is marked, the user will not be prompted to complete 2fa again, for the desired role and device, for the 30 days.
If user wants to remove that trusted flag from their device they can do say from their Settings portlet.
Click the link Manage Trusted Devices.
You will be asked to enter your current password then select whether you want to restore 2fa on the device in use or all devices. Finally click Submit.