Thanks for the info @GeneralKenobi. Please keep me updated on what you find out. I am going through NS support now as well to see if they can assist me.

1. Get your list of integration users (Setup > User/Roles> Access Tokens). This list must contain one of the accounts causing the issue. 2. From that list, focus on any Administrator or Full Access roles 3. Run a Login Audit Trail for those accounts. Group by email, role, application to see which are in use. Use a date filter (within previous 1 month) to lessen the results and speed up the search) If Application is empty/null then it is using password based login. Specific identification will be a problem only if an actual employee record is also being used for integration (bad practice).

Thanks for the tip @Automatech I did as you instructed above and all check out no empty application ID's

If you received the notification you can also contact support and ask for the specific list of users. This is probably the easiest method. Sorry that didn't help.

No worries i have a case open already this morning.

@GeneralKenobi NS Support called me and we did a zoom call. Here is the email they sent after: We navigated to Setup > Users/Roles > Two-Factor Authentication > Two-Factor Authentication Roles (Administrator). For each role that NetSuite has marked as Mandatory 2FA Required (denoted by the check mark in the Mandatory 2FA column), we changed the value in the Two-Factor Authentication Required column from Not required to 2FA authentication required. Listed below are some additional resources for you to review: •Permissions Requiring Two-Factor Authentication (2FA), SuiteAnswers ID 70234 •Mandatory Two-Factor Authentication (2FA) for NetSuite Access, Suite Answers ID 76766 •Token-based Authentication, SuiteAnswers ID 41827 •OAuth 2.0, SuiteAnswers ID 91092

Honestly, it sounds like NS support led you astray - that doesn't change the root of the problem.

Damnit.

Which is that you have a login that is hitting 2FA required role with web services/restlet

actually, yes. You should be getting failures in the login audit trail quite quickly

Is there a way for me to try to determine which webservices/logins are using the 2FA incorrectly>?

or as infrequent as the connection is (at worst probably daily)

I know we have Celigo integrations running every 15 mins

Well - if it fails in the next 15/20 minutes, you should be able to see it in the login audit trail...

you should actively watch, otherwise it will get locked out and it'll take a bit longer (30 minute wait time) for it to be functional again.

Yeah, I'm just refreshing the page every minute or so

probably not a bad idea to set up saved search notifications for failures anyway

So our Celigo Integrations both ran, and there were no failures

Then you have some other integration that triggered their search.

Is it possible that one of our integrations was connecting with login/password and then was updated to use Token, but the login/password method was just never removed?

Not sure that'd really be the issue. I've only seen the situation where Prod was updated to token and Sandbox left at password (resulting in lockouts b/c of shared email -- another thing to avoid).

^^^ Ill look into that