NetSuite requires authenticator app for 2FA

NetSuite Institutes New 2FA Requirements

By: Glenn Hofmann

To ensure you have no interruption to your NetSuite access, we are notifying our clients of an important change related to NetSuite security that is quickly approaching. Effective March 1, 2024, NetSuite will no longer accept SMS/text and voice call as methods for two factor authentication (2FA). So, if your NetSuite role is setup to require 2FA at login, you must use an authenticator application to confirm your identity.

"Effective March 1, 2024, NetSuite will no longer accept SMS/text and voice call as methods for two factor authentication (2FA). So, if your NetSuite role is setup to require 2FA at login, you must use an authenticator application to confirm your identity."

NetSuite 2FA Background

First, a quick background on 2FA. For several years, companies have been providing users with a second layer of security on accounts to prevent access if someone guesses or steals their password and tries to login on a device other than the ones they have already authenticated. This second level of authentication is referred to as 2FA. For NetSuite specifically, any “privileged” role (roles with advanced permissions) is required to have 2FA enabled. Other roles are optional for 2FA, but we, at KES Systems Solutions (KES), recommend you enable 2FA on all roles. NetSuite provides 2FA options by allowing you to set a role to require 2FA on every login or after a set number of days (up to a maximum of 30). You can also set 2FA to always trust a device that the user has confirmed via 2FA.

Why is NetSuite Changing 2FA Requirements?

Now that we’ve covered what 2FA is, why it’s important, and how NetSuite enforces it, let’s talk about why they are changing their requirements. Up until now, NetSuite gave users three options for 2FA: authenticator app, SMS/text, or voice call. These options gave users flexibility, but they found that users primarily used SMS/text for its convenience. Recently, there have been numerous studies showing the potential vulnerability of using SMS/text or voice call for 2FA. Since ERP data is so sensitive, Oracle recently made the decision to no longer support SMS/text or voice calls for 2FA and instead require an authenticator app, as the only option, effective March 1, 2023.

Setting Up an Authenticator App in NetSuite

Since Oracle’s deadline is quickly approaching, let me walk you through how to setup an authenticator app for NetSuite 2FA. First, you will need to add an authenticator app, either in your browser or on your phone. KES recommends this authenticator app for those using Chrome or Firefox, but your IT organization may recommend an alternative. Once the authenticator app is installed, you are ready to convert to 2FA via authenticator app within NetSuite. To do so, follow these steps:

Reset your current 2FA settings

  1. Login to NetSuite and go to your “Settings” portlet on your home page.
  2. Select “Reset 2FA Settings." You will be prompted to enter your current password and have a verification code sent to you that you must enter.
  3. Select “Reset." You should receive a confirmation message that registered 2FA devices have been successfully removed.
  4. Logout.

Setup your new 2FA settings

  1. Log back in to NetSuite.
  2. You will be sent a verification code via email that you must enter, followed by “Submit.”
  3. You will be prompted on downloading an authenticator app, which you should have already done, so just select “Next.”
  4. A QR code will be displayed. Capture or scan this with the authenticator app.
    • If you use the app we recommend above, the app will be displayed in the top right corner of your browser under “extensions” and labeled “authenticator.”
    • Open this and select the square box left of the pencil to bring up a capture box that can be used to highlight/capture the QR code.
  5. The authenticator app will now display a verification code. Enter this code and click “Next.”
  6. You will be shown a list of 10 one-time use backup codes to be used in case you are having trouble with 2FA. We recommend storing these securely, then click “Next.”

That’s it! Going forward, if you are asked for an authentication code, you just need to open the authenticator app and select/enter the code shown. These codes change every 30-60 seconds, thus constantly ensuring a new, secure code. If your role has been setup to allow trusting a device for future logins for up to “x” days, you can also check the box to trust the device for the next “x” days, so you don’t have to enter a code every time you login.

KES strongly encourages completing the above steps now to address any challenges or issues with switching to the 2FA authenticator app well before the March 1, 2024 deadline.

Why KES Systems Solutions?

As full-service NetSuite consultants, we're here to help you implement and optimize NetSuite to take full advantage of its capabilities.