Managing Two-Factor Authentication

Administrators do not have to enable a feature to use 2FA in a NetSuite account. You do not have to purchase or upload tokens. Setup required of administrators is minimal. You can begin using 2FA in your NetSuite account whenever you want to get started. Administrators, or other users with the Two-Factor Authentication base permission, must designate roles as 2FA authentication required. Users who are assigned to 2FA-required roles must set up their authenticator applications and phone numbers in NetSuite.


2FA is required for the Administrator role and other roles with highly privileged permissions. These roles are indicated in Mandatory 2FA column on the Two-Factor Authentication Roles page. For a list of roles that are considered highly privileged, see Permissions Requiring Two-Factor Authentication (2FA).

The Two-Factor Authentication Roles page.

Required 2FA Tasks

See the following required tasks for managing two–factor authentication (2FA) in a NetSuite account. These tasks can be completed by administrators and by other users that have the Two-Factor Authentication base permission.

  • For roles that you want to restrict as 2FA roles, designate the role as 2FA authentication required. See Designate Two-Factor Authentication Roles.

  • When using 2FA, after administrators designate roles and assign them to users, the users:

    • Are sent a verification code by email during the initial login attempt to a 2FA role.

    • Must set up 2FA preferences, select a primary authentication method, and should select a secondary authentication method. See the following for help written for users: Set up Your Preferences for Two-Factor Authentication (2FA).

      • To receive verification codes using an Authenticator App, users must set up an authenticator application.


        Authenticator apps for generating 2FA verification codes are supported in all NetSuite accounts. Users should select an authenticator app as the primary method of authentication. SMS and voice call are subject to carrier availability and changes in local regulations. Therefore, delivery of verification codes by SMS or voice call is not as reliable as using an authenticator app. See Supported Authenticator Apps.

      • To receive verification codes by phone, users must register a phone number in NetSuite, which is tied to the user’s email address.

      • Users are provided ten backup codes, to be used when they are not able to receive a verification code through their authenticator app, SMS message, or a voice call.

Each time a user logs in to NetSuite, they must enter an email address and password. If the role is a 2FA authentication required role, the user must enter a verification code obtained from an authenticator app, or from an SMS message or voice call. Each verification code is a unique series of numbers valid for a limited time, and only for a single login. During setup, users are also supplied with backup codes that can also be used for 2FA access.


Are your users planning a trip to a location where they do not have phone service? Authenticator apps can provide a verification code even when there is no phone service. They should also take their backup codes with them. Remind them to keep their backup codes secure. Do not store backup codes with the login device.

For help written for users, see Logging In Using Two-Factor Authentication (2FA).

Related Topics

Two-Factor Authentication (2FA)
Designate Two-Factor Authentication Roles
Users and Trusted Devices for Two-Factor Authentication
2FA in the NetSuite Application
Supported Countries: SMS and Voice Call

General Notices