Co-Authored By Mary Pascual
In a world where most of what we do is now in an online environment, A Username and Password is no longer enough security to protect online data. Many log-ins can be compromised in a matter of minutes, making it easy for cyber criminals to obtain access to your data. Two-factor (2FA) or multi-factor authentication is an additional level of security for a variety of websites that require the user to log in by providing a Username and Password.
To protect against unauthorized log-ins to your NetSuite account, NetSuite is rolling out this additional layer of security in its 2019.1 release. This extra layer of security requires a passcode to be entered that is randomly generated. 2FA requires a Passcode to be entered to validate that you are who you say you are. Not only do you need to enter your username and password, but you also must enter the 2-step authentication code.
While 2FA is available now, thanks to the 2018.2 release. It will become mandatory to all non-UI access administrators, Full Access, and highly privileged roles.
NOTE: 2FA is a mandatory feature and cannot be disabled.
Under certain circumstances, access could fail. This is primarily caused by an integration being utilized that does not have the ability to enter the Passcode that is randomly generated.
Examples of roles that has a privilege that requires 2FA:
- Full Access
If you are using one of these roles for your integration, it is recommended that you create a custom role that is only used for the various integrations you currently use or are planning to use.
“Non-UI access” means that a computer program, integration, or script is talking to another computer with zero human interaction or prompting. Two or more computers talk to each other utilizing an API. There is no User Interface for to complete the transfer of data.
These computer-to-computer communications (i.e., web services or RESTlets) use User credentials, username and password rather than tokens for authentication (token-based authentication, or TBA). Passwords expire, but tokens do not, which makes tokens better than passwords for computer-to-computer communications.
NOTE: There would be NO IMPACT to Suitelets/Scheduled Scripts which are set to have Administrator/Full Access on the “Execute As Role” field.
When a customer creates a web service (an integration), there is a role associated with that integration. Sometimes the task requires a highly privileged role, sometimes it does not. The principle of “least-privilege” means using a role with the lowest possible privilege that will complete the task.
NOTE: It is not recommended to use Administrator or other highly privileged roles unless necessary.
Highly privilege roles refer to the roles that have one of the following permissions assigned to it:
- Access Token Management
- Two-Factor Authentication Base
- Integration Application
- Device ID Management
- Setup SAML Single Sign-on
- Setup OPENID Single Sign-on
To determine if you have web service integrations that will be affected, you can use this saved search:
NOTE: Add permissions mentioned above if existing in your account.
For RESTlets, on the NLAuth Header, there is parameter wherein you must specify the nlauth_role. This is the part wherein you must modify the value if you will be changing the Role ID.
To fix the issue, you have two alternatives (separate recommendations):
- Change your integrations so that they do not use highly privileged roles, following the best practice “principle of least privilege”. Avoid using the Administrator, Full Access, or any of the other highly privileged roles.
- If an integration must use a highly privileged role, change the authentication method from user credentials to token-based authentication (TBA).
It is possible that you might not be able to modify your integration, for example, if your integration was provided by a partner. If this is the case, contact the partner who provided the integration, and request that they make the appropriate changes.
Here at AppWrap, we have created a free bundle to assist you in identifying the integrations that need to be fixed, and the RESTlets that may be affected by 2FA. Simply go to Customization > SuiteBundler > Search & Install Bundles. Enter AppWrap | 2FA Search and install the bundle. Then go to Saved Searches and open the following two searches to see what needs to be fixed:
- AppWrap | Integration with Admin / Full Access Role
- AppWrap | Restlet search
For more information about the mandatory 2FA requirement for highly privileged roles and permissions, see the 2018.1 release note Two-Factor Authentication (2FA) Required for Administrator Role in the NetSuite Help Center, also available in SuiteAnswers ID 31695. See also Two-factor Authentication, SuiteAnswers ID 9889, and Token-based Authentication, SuiteAnswers ID 41827.
You can also contact us by using the Contact Form below.