NetSuite 2FA and Stampli TBA

As of April 8, 2019, NetSuite now requires all customers using Admin and other highly privileged roles to use two-factor authentication (2FA). When NetSuite launched 2018.1 and 2018.2 releases, some customers were exempted from 2FA but as of April 8th, this exemption was lifted. If you have not yet done so, you should switch to token-based authentication (TBA) if your Stampli account is integrated with NetSuite.

NetSuite Two-factor Authentication (2FA)

If your Stampli integration is using a NetSuite account that will require 2FA, you need to switch to token-based authentication (TBA). Even if you are using a role that does not require 2FA, NetSuite recommends that all integrations use the more secure TBA. View NetSuite 2019.1 Release Notes or NetSuite’s Authentication Guide for details on NetSuite’s 2FA requirement.

Why Is Token-Based Authentication Needed?

NetSuite and many other applications are enforcing two-factor authentication (2FA) to prevent unauthorized access to user accounts. This means that if a third-party application, such as Stampli, is using an application programming interface (API) to connect to a NetSuite account that requires 2FA, the API has no way to know the mandatory verification code sent by NetSuite. Instead, token-based authentication (TBA) can be used for Stampli and other non-UI, API access to NetSuite.

What is Token-Based Authentication?

Stack Overflow defines TBA as “a security technique that authenticates the users who attempt to log in to a server, a network, or some other secure system, using a security token provided by the server. … The service validates the security token and processes the user request”.

What does this mean? In a hotel, you verify your identity at the registration desk by showing your driver’s license. The receptionist will then program a key card to give you access to your room, pool, gym, and other restricted areas of the hotel. Once the key is issued, the hotel will not ask for your driver’s license again.

Similarly, after you log into NetSuite as an authorized user, you generate a token that is used by Stampli to get access to your NetSuite account information, such as GL codes and vendor information. The token is a specific sequence of characters, such as “2rWErv83sVBXsdbhr308S9gcbjt21egbXV”. Once the token is generated, you will not need to provide your NetSuite account user name or password again.

Why Token-Based Authentication?

TBA is the preferred and more secure authentication method for connecting Stampli with NetSuite for these reasons:

• Secure: Tokens are auto-generated with long strings (32 characters or more) that are far more secure than user-defined passwords that need to be easily recalled by the user, such as “Password123”. Additionally, end user credentials are never exposed since tokens are used.
• Non-expiring: Passwords typically expire after a certain number of days, including NetSuite passwords. If your integration relies on username and password, you need to remember to update the username and password within your integration when they change. With non-expiring tokens, your integration will not fail because of expired authentication.
• Revocable: A token can easily be cancelled or revoked, and a new one generated if the token is exposed to the wrong parties or if someone who had access to the token leaves the company. This is similar to a hotel key in that if someone steals your key, the receptionist can create a new key and invalidate the old one.
• Traceable: If you integrate Stampli and other applications with NetSuite, a separate token is generated for each connected application so that it is easy to track unauthorized connections and revoke access based on a specific application.

For detailed instructions on switching your Stampli’s connection with NetSuite from Basic Authentication to TBA, view this article.