Designate Two-Factor Authentication Roles


The NetSuite feature that required RSA SecurID tokens is no longer available for purchase. Customers requiring 2FA for account access should use the 2FA solution built in to NetSuite.

An administrator or another user with the Two-Factor Authentication base permission can use the Two-Factor Authentication Roles page to indicate roles that require 2FA for login. Each 2FA role can be configured to specify how often users with that role should be presented with the 2FA challenge. The default is per session, and the Duration of Trusted Device column includes values for hours (4, 6, 8, 12) and days (1–30). The value specified in the Duration of Trusted Device column works in conjunction with the devices users indicate as trusted devices. See Users and Trusted Devices for Two-Factor Authentication for more information.


The 2FA authentication required designation can be applied to most roles, including Employee Center, Partner Center, and Vendor Center roles, but not to Customer Center roles.

2FA is required for the Administrator role and other roles with highly privileged permissions. These roles are indicated in the Mandatory 2FA columns on the Two-Factor Authentication Roles page. For more information, see Permissions Requiring Two-Factor Authentication (2FA).

To designate two-factor authentication roles:

  1. Go to Setup > Users/Roles > Two-Factor Authentication Roles.

  2. Select 2FA authentication required from the list in the Two-Factor Authentication Required column for any role that you want 2FA to be required.

    The Two-Factor Authentication Roles page with one of the Duration of Trusted Device dropdown lists opened.
  3. In the Duration of Trusted Device column, accept the default (Per session) or select the length of time before a device a user has marked as trusted will be subject to a two-factor authentication request.

  4. Click Submit.


The Two-Factor Authentication feature is not compatible with web services or SuiteAnalytics Connect. To use web services or SuiteAnalytics Connect, you must be logged in with a role that does not require 2FA. If you want to use RESTlets or web services with a highly privileged role, use Token-based Authentication or OAuth 2.0. See Token-based Authentication (TBA) or OAuth 2.0 for more information. OAuth 2.0 cannot be used with SOAP web services.

If you need more information about setting up access or roles in NetSuite, see NetSuite Roles Overview and NetSuite Access Overview.

Related Topics

Two-Factor Authentication (2FA)
Managing Two-Factor Authentication
Users and Trusted Devices for Two-Factor Authentication
2FA in the NetSuite Application
Supported Countries: SMS and Voice Call

General Notices