Two-Factor Authentication (2FA)

Two-factor authentication (2FA) allows enforcement of a second level of security for logging in to the NetSuite user interface. Using 2FA can protect your company from unauthorized access to data.

Two-factor authentication requires that users log in to the NetSuite UI with:

Each verification code is a unique series of numbers valid for a limited time, and only for a single login.

Users can specify how they want to receive verification codes when they set up their 2FA preferences. To read 2FA help topics available to users, see Logging In Using Two-Factor Authentication (2FA).


Authenticator apps for generating 2FA verification codes are supported in all NetSuite accounts. Users should select an authenticator app as the primary method of authentication. SMS and voice call are subject to carrier availability and changes in local regulations. Therefore, delivery of verification codes by SMS or voice call is not as reliable as using an authenticator app. See Supported Authenticator Apps.

See the following for more information:

What Administrators Need to Know About 2FA

  • As of 2018.1, certain roles with highly privileged permissions require 2FA. See Permissions Requiring Two-Factor Authentication (2FA).

  • New users are prompted to set up security questions when they first log in to NetSuite. However, be aware that users logging in with a 2FA authentication required role are not prompted to answer security questions. The level of security provided by 2FA authentication is greater than that provided by security questions. Users logging in with 2FA roles are only asked to answer their security questions if they forget their passwords. See Setting Up Security Questions for more information.

  • 2FA is not compatible with web services or SuiteAnalytics Connect. To use web services or SuiteAnalytics Connect, you must be logged in with a role that does not require 2FA. If you want to use RESTlets or web services with a highly privileged role, use Token-based Authentication or OAuth 2.0. See Token-based Authentication (TBA) and OAuth 2.0 for more information.


    OAuth 2.0 is only available for use with RESTlets and REST web services. It cannot be used with SOAP web services.

  • If a role is designated as a SAML Single Sign-on (SSO) role, the SAML authentication requirement takes precedence, and the 2FA requirement is ignored.


The NetSuite feature that required RSA SecurID tokens is no longer available for purchase. Customers requiring 2FA for account access should use the 2FA solution built in to NetSuite.

Benefits of 2FA in Your NetSuite Account

The benefits of 2FA include:

  • No special licensing is required. (No cost.)

  • No special tokens are required. (No cost.)

  • Access is supported for the NetSuite UI and NetSuite Mobile applications.

  • Little maintenance is required of administrators. After being assigned to a 2FA authentication required role, users configure their own 2FA settings and manage their own devices in NetSuite.

  • Self-service user setup: pages in the NetSuite UI guide users through setting up primary and secondary 2FA authentication methods, and provide users with backup codes.

  • 2FA works with all non-customer center roles, including contacts.

  • The user’s 2FA setup is shared across all NetSuite accounts and for all companies to which they have access.

  • There are several authentication options available for users, and users can switch between these options when they log in:

    • The Authenticator App option should be the user’s primary authentication method because it is always available. Even when the phone is offline, the app is not. When a user cannot receive an SMS message or a voice call, the authenticator app can generate a verification code. SMS message and voice call are not reliable due to dependence on mobile signal, international restrictions, or roaming. For a list of third-party authentication applications, see Supported Authenticator Apps. See also Troubleshoot Authenticator Apps.

    • The SMS and Voice Call options let users specify their preferred delivery method for verification codes: SMS message or voice call. Users only need to set up a phone number in NetSuite and specify how they prefer to receive verification codes. If necessary, administrators can verify which delivery methods are available in their country. See Supported Countries: SMS and Voice Call.


For information about other authentication methods available in NetSuite, see Authentication Overview

Related Topics

Managing Two-Factor Authentication
Designate Two-Factor Authentication Roles
Users and Trusted Devices for Two-Factor Authentication
2FA in the NetSuite Application
Supported Countries: SMS and Voice Call

General Notices