Netsuite: 2FA breaking your integrations?

As of April 8th 2019, you may be greeted with the following Netsuite 2FA notification:

Reminder: Mandatory 2FA Exemption for Production Accounts Ends April 8, 2019

You are receiving this notification to remind you that the end of the exemption from mandatory 2FA for integrations in your production account is targeted for April 8, 2019.

What to Expect with this Change

After the exemption ends, we will enforce mandatory 2FA for integrations that use highly privileged roles and user credentials for authentication for access to NetSuite production accounts. Integrations that use highly privileged roles and are still employing user credentials for API authentication to your production account will fail after the exemption ends.

Highly privileged roles include the Administrator role and the other roles documented in Permissions Requiring Two-Factor Authentication (2FA), SuiteAnswers ID 70234.

Recommended Actions
Ensure that your integrations are ready.

For more information on the kinds of updates needed, review the following help topics:

• Mandatory Two-Factor Authentication (2FA) for NetSuite Access, SuiteAnswers ID: 76766.
• In that topic, the questions and answers in the FAQ: Updates for Mandatory 2FA section can be very helpful.

• If you use the Issue Token endpoint, see also Mandatory 2FA, the Issue Token Endpoint, and nlauth_otp, SuiteAnswers ID 81501.

• Designate Two-Factor Authentication Roles, SuiteAnswers ID 9883.

If you have more questions, please contact Customer Support.

Thank you,
The NetSuite Team

The essence of this is that if you were running any integrations (SOAP, RESTlets, anything calling from outside!) that had elevated privileges (SOAP integrations using roleid = 3 anyone???) will now fail due to the new 2-Factor Authentication regime in play.

This doesn’t need to be a big job to fix; IF your integration doesn’t absolutely need admin privs to do its job.

We are reworking some of our customers (past, present and new!) Netsuite integrations based on finding out what they do , defining a proper role for this integration that can be configured to stay below the 2FA radar by using the time-honoured and best-practice principle of assigning the minimum privs that a script actually requires to function… and yes that means “thinking about it” rather than “just put it through as admin and we’ll downgrade it later” because later never comes.

Well, like Winter, I’m afraid 2FA has come.

If you need help with resolving this, please get in touch using the contact us details in the footer!