Sebastian Correa
Two-factor authentication is the single highest-impact security change most NetSuite organizations haven't made yet. It takes about fifteen minutes to configure and immediately closes the most common attack vector: compromised passwords.
This guide walks through the entire process, from enabling the feature to enforcing it across your organization, with the real-world gotchas we've encountered along the way.
Why 2FA Matters for NetSuite
NetSuite holds your financial data, customer records, vendor information, and often your entire operational backbone. A single compromised admin credential gives an attacker the keys to everything.
We've seen it happen. A controller at a mid-market manufacturing company reused their NetSuite password on a third-party site. That site got breached, the credentials ended up in a dump, and someone logged into their NetSuite account at 2 AM on a Saturday. They changed the bank account on a vendor record and approved a payment run before anyone noticed Monday morning.
Two-factor authentication would have stopped that cold. Even with the correct password, the attacker would have needed the time-based code from the employee's phone.
Beyond the practical reality of breaches, 2FA is increasingly a compliance requirement. If your organization is pursuing SOC 2 Type II, auditors will specifically ask about multi-factor authentication on your ERP. PCI DSS requires it for any system handling cardholder data. Many cyber insurance policies now mandate 2FA as a condition of coverage. And if you work with enterprise clients, their vendor security questionnaires almost always ask whether MFA is enforced on your financial systems.
If you're running NetSuite without 2FA in 2026, you're leaving the door open.
NetSuite's Built-In 2FA Options
NetSuite supports two methods of two-factor authentication natively:
Authenticator App (TOTP) is the recommended approach. It uses a time-based one-time password generated by an app on the user's phone. The code changes every 30 seconds, and it works even without cell service or Wi-Fi since the generation is entirely offline.
SMS Verification sends a code via text message to the user's registered phone number. While this works, Oracle has been signaling that SMS-based 2FA is being phased out. SMS is inherently less secure due to SIM-swapping attacks, where an attacker convinces a carrier to transfer the victim's phone number to a new SIM card. We strongly recommend using the authenticator app method exclusively.
NetSuite does not currently support hardware security keys (like YubiKeys) natively, though you can achieve this through SSO providers that do support them, which we'll cover later.
Enabling 2FA at the Company Level
Before individual users can set up their authenticator apps, you need to enable the feature at the account level. Here's the path:
- Navigate to Setup > Company > Enable Features.
- Go to the SuiteCloud tab.
- Scroll to the Manage Authentication section.
- Check the box for Two-Factor Authentication.
- Click Save.
That's it for the feature flag. But enabling the feature alone doesn't force anyone to use it. It simply makes 2FA available. The enforcement piece happens at the role level, which is a step many administrators miss.
One important note: you need the Administrator role to enable this feature. If you're using a custom admin role, make sure it has the Set Up Company permission.
Setting Up the Authenticator App
Once the feature is enabled, each user needs to pair their authenticator app with their NetSuite account. The supported apps include:
- Google Authenticator (iOS/Android) - Simple, no-frills, works reliably.
- Microsoft Authenticator (iOS/Android) - Good choice if your organization already uses Microsoft 365.
- Authy (iOS/Android/Desktop) - Our recommendation for most companies. It supports encrypted cloud backups of your tokens, which makes device migration significantly easier.
The Setup Process
When a user whose role requires 2FA logs in for the first time (or when they opt into 2FA), NetSuite presents the authenticator enrollment flow:
- NetSuite displays a QR code on screen. This QR code encodes the account's secret key and the user's identity.
- Open your authenticator app and tap the option to add a new account (usually a "+" icon).
- Scan the QR code with your phone's camera through the authenticator app.
- The app immediately begins generating six-digit codes that change every 30 seconds.
- Enter the current code displayed in your authenticator app into NetSuite to confirm the pairing.
- NetSuite verifies the code and completes the enrollment.
Manual Entry Backup
If the QR code won't scan (cracked screen, camera issues, or using a desktop-only authenticator), NetSuite also provides a manual entry key. This is a long alphanumeric string that you type directly into your authenticator app instead of scanning.
Write this key down and store it securely. If you ever need to re-add the account to a new authenticator app without going through NetSuite's reset process, this key is your lifeline. We recommend storing it in your company's password manager (1Password, Bitwarden, etc.) alongside the user's NetSuite credentials.
Verifying the Setup
After enrollment, NetSuite will require the six-digit code on every login. The flow becomes:
- Enter your email and password as usual.
- NetSuite prompts for your verification code.
- Open your authenticator app, read the current code, and enter it.
- You're in.
The codes are time-sensitive. If a code is about to expire (most apps show a countdown), wait for the next one rather than rushing to type it. NetSuite does allow a small window of tolerance for clock drift, but entering an expired code will fail.
Enforcing 2FA for All Roles
Feature enablement is step one. Enforcement is where it matters. Requiring 2FA for every role that matters is step two.
Role-Level Enforcement
To require 2FA for a specific role:
- Navigate to Setup > Users/Roles > Manage Roles.
- Open the role you want to secure.
- Under the Authentication subtab, find the Two-Factor Authentication Required setting.
- Set it to Required.
- Save the role.
Repeat this for every role in your system. Yes, every one. We've seen organizations diligently enforce 2FA on their Administrator and Controller roles but leave Warehouse Clerk or Sales Rep unprotected. An attacker who gets into any role can often escalate from there, or at minimum access sensitive data.
Recommended Enforcement Strategy
Rather than flipping the switch on all roles simultaneously (which will lock out anyone who hasn't enrolled yet), we recommend a phased rollout:
Week 1: Enable 2FA for Administrator, Full Access, and any roles with financial permissions. These are your highest-risk users and typically the most technically capable.
Week 2: Extend to manager-level roles, anyone with approval authority, and roles that access customer or vendor data.
Week 3: Roll out to all remaining roles. By this point, the early adopters can help the less technical users through the process.
Communicate before each phase. Send an email with clear instructions, screenshots, and a deadline. Mention which authenticator app you recommend, and link to the app store download.
Recovery Options When Someone Loses Their Device
This is the support ticket you will get. Not if, when. Someone drops their phone in a lake, upgrades without transferring their authenticator, or their phone just dies. Suddenly they can't log into NetSuite.
Administrator Recovery
An administrator with the appropriate permissions can reset another user's 2FA enrollment:
- Navigate to Setup > Users/Roles > User Management > Access (or search for the employee record).
- Open the affected user's record.
- Under the Access tab, find the two-factor authentication section.
- Click Reset to clear their existing authenticator pairing.
- The next time the user logs in, they'll be prompted to enroll a new device.
Backup Verification Codes
During initial enrollment, NetSuite provides a set of backup verification codes. These are single-use codes that work in place of the authenticator app code. Each code can only be used once.
Train your users to save these codes immediately upon enrollment. Store them somewhere separate from the authenticator app, such as a printed sheet in a locked drawer, a password manager, or a secure note.
If an employee uses all their backup codes, an administrator can regenerate a new set from the user's access record.
The Locked-Out Administrator Problem
Here's a scenario that keeps NetSuite admins up at night: the sole administrator loses their phone, doesn't have backup codes, and can't log in to reset their own 2FA. Nobody else has admin access to perform the reset.
This requires contacting NetSuite Support directly. Oracle can perform an administrative 2FA reset, but they'll verify your identity thoroughly, and it may take 24-48 hours. During that time, your admin account is effectively locked.
Prevention: Always have at least two users with full Administrator access, and make sure they use different devices for their authenticator apps. Store backup codes for admin accounts in a company safe or secure vault.
SSO + 2FA Considerations
Many organizations use Single Sign-On (SSO) to centralize authentication through an identity provider like Okta, Azure AD (Entra ID), or OneLogin. If you're already running SSO, the 2FA picture changes.
SAML-Based SSO
When NetSuite is configured for SAML-based SSO, the authentication happens at the identity provider, not within NetSuite itself. This means:
- 2FA is enforced at the IdP level, not in NetSuite. Users authenticate through Okta (or whichever provider), and if Okta requires MFA, that's where the second factor is checked.
- NetSuite's built-in 2FA is bypassed for SSO logins. The trust chain goes: user authenticates with IdP (including MFA) -> IdP asserts identity to NetSuite via SAML -> NetSuite grants access.
- You should still enable NetSuite's 2FA as a safety net for any roles that can fall back to direct login (which includes the Administrator role for break-glass scenarios).
Okta Integration Specifically
Okta is the most common IdP we see paired with NetSuite. If you're using Okta:
- Configure MFA policies in Okta that require a second factor for the NetSuite application.
- Consider using Okta Verify (Okta's own authenticator app) for consistency.
- Okta supports hardware keys (YubiKey, FIDO2), giving you stronger 2FA options than NetSuite offers natively.
- Set up Okta's adaptive MFA policies to require step-up authentication for sensitive operations or unfamiliar locations.
The Hybrid Approach
We recommend enabling 2FA in both places, at the IdP and in NetSuite, for organizations that take security seriously. The IdP handles daily authentication with MFA. NetSuite's built-in 2FA serves as a fallback for the rare cases where someone needs to log in directly (admin troubleshooting, SSO outages).
Common Issues and Troubleshooting
Here are the issues that come up repeatedly after rolling out 2FA.
Time Sync Problems
TOTP (time-based one-time password) codes depend on the clock on the user's device being reasonably accurate. If the phone's clock is off by more than 30-60 seconds, the codes will be out of sync with NetSuite's server.
Fix: On the user's phone, enable automatic time sync. On iPhone, go to Settings > General > Date & Time > Set Automatically. On Android, go to Settings > System > Date & Time > Use network-provided time.
This is the number one cause of "my code isn't working" complaints. Before doing anything else, check the time.
Wrong QR Code or Account Mismatch
Users sometimes scan the QR code for the wrong NetSuite account (if they have access to sandbox and production) or accidentally re-scan during a browser refresh.
Fix: Delete the old entry in the authenticator app and re-scan. If the QR code is no longer available, have an admin reset the user's 2FA so they can go through enrollment again.
Authenticator App Shows No Accounts After Phone Update
Some authenticator apps (notably Google Authenticator before its 2023 cloud sync update) stored tokens only on the local device. A phone reset or migration would wipe them.
Fix: Use Authy or the latest version of Google Authenticator with cloud backup enabled. For users who already lost their tokens, an admin will need to reset their 2FA enrollment.
2FA Prompt Not Appearing
If you've enabled the feature and set the role to require 2FA but users aren't being prompted:
- Verify the feature is enabled under Setup > Company > Enable Features > SuiteCloud.
- Confirm the role's authentication settings actually show 2FA as required.
- Check that the user isn't logging in through SSO (which bypasses NetSuite's 2FA prompt).
- Clear the browser cache and cookies, then try again.
Integration and API Considerations
Token-based authentication (TBA) for integrations and API access is separate from 2FA. Your SuiteScript integrations, RESTlets, and web services connections use token credentials, not username/password. Enabling 2FA won't break your integrations, but 2FA only applies to interactive (browser-based) logins.
If you have integrations still using username/password authentication (the old SOAP login method), this is your sign to migrate them to TBA regardless of your 2FA rollout.
Making 2FA Stick: Change Management Tips
The technical setup is the easy part. Getting 150 employees to actually enroll and stop complaining is the hard part. A few tips from the field:
Set a hard deadline. "2FA will be required for your role starting March 1. If you haven't enrolled by then, you won't be able to log in." Nothing motivates like a deadline.
Provide a one-page instruction sheet with screenshots specific to the authenticator app you've chosen. Don't give people five options and let them figure it out. Pick one app, document it.
Hold a 15-minute drop-in session (in-person or Zoom) where people can set up their authenticator while someone walks them through it. You'll save hours of individual support tickets.
Enlist department managers. When the CFO says "do this by Friday," it carries more weight than when IT sends a mass email.
Frequently Asked Questions
Sebastian Correa
Co-Founder & CCO
Co-founder and Chief Commercial Officer at BrokenRubik with 12+ years of experience in NetSuite consulting and e-commerce development. Specializes in helping businesses optimize their ERP operations and scale their online presence through strategic technology implementations.
Get More Insights Like This
Join our newsletter for weekly tips, tutorials, and exclusive content delivered to your inbox.
Related Articles
Best NetSuite Apps & SuiteApps: Top Applications for 2026
Discover the best NetSuite apps from the SuiteApp marketplace. Curated list of top SuiteApps and SuiteCloud platform extensions that extend NetSuite for SDN partners and businesses.
Best WMS for NetSuite: Options Compared (2026)
Compare the best warehouse management systems for NetSuite. NetSuite WMS, RF-SMART, Infios, and other top options for inventory-heavy businesses.
BrokenRubik Is Now a Celigo Standard Partner
We are excited to announce our promotion to Celigo Standard Partner — a milestone that reflects our growing expertise in iPaaS integrations and our commitment to delivering reliable, scalable solutions for our clients.