The threat to online security has always been an issue but unfortunately, there are people out there that feed on this and the risks are always evolving. Salesforce has many levels of security, one of these is MFA.
MFA is a new feature of Salesforce that effectively increases the protection for user accounts against security threats such as phishing attacks, credential stuffing, and account takeovers. It provides an extra layer of security for both employees and customers to the login process by requiring users to enter two or more verification methods to prove their identity. It also mitigates the ripple effect of compromised credentials – a bad actor may steal your username and password, but if they’re prompted for another factor before they can access critical data, make a transaction or log into your laptop, they’ll be sunk.
MFA is different from Single Sign On (SSO), which relies on your company’s local authentication method rather than Salesforce’s to login. MFA is a layer that can be added to Salesforce and/or your company’s SSO provider to add an extra level of security.
How does it work?
Once MFA is enabled, users will be required to enter two or more pieces of evidence to ensure they are who they say they are when they login.
- Users will need to login using their username and password.
- Users will then be prompted with a verification method the user has in their possession, such as an Authenticator app or security key. The Authenticator app would be installed on the phone while the security key is an actual physical key.
Email, SMS text messages and phone calls are not allowed to be used as MFA verification methods because email credentials are more easily compromised, and text messages and phone calls can be intercepted.
What is the Difference between Passwords, MFA and SSO?
Passwords have been the main tool or verification used throughout the years. Hypothetically, only you should know your password, however this method of verification can be highly vulnerable. Passwords usually consist of a combination of words, numbers and special characters but it does rely on the individual person to choose their own, and more often than not the chosen password will be something safe and familiar (so they can easily remember them). Passwords that are not that strong (just names, words or numbers without any special combinations) are easy targets for hackers.
Single Sign-on (SSO)
SSO means that you only need one set of credentials to access a range of apps or websites, basically having one set of credentials where you are assumed to be the user. Facebook, Google, and Microsoft are common SSO providers.
SSO does not satisfy MFA requirements on its own. MFA would still be required to all users who access a Salesforce product’s user interface, whether by logging in directly or via SSO. If your Salesforce instance is integrated with SSO, you need to enable MFA to all users as well.
MFA is a set of credentials, but with a much deeper verification. This feature will stop anybody from logging into a website, system or app if the organisation is not verified. Users will be required to enter two or more pieces of evidence to ensure they are who they say they are when they login.
Customer and Partner Communities (Experience Cloud)
External users that use Community, External Identity or Employee Community licenses are not required to have MFA enabled.
Following app usage is often handled with token exchanges via API calls, without requiring a new login.
Mobile and Desktop Apps
All Salesforce mobile and desktop apps that are accessed through user interface logins would need to use MFA.
This includes Salesforce Mobile App, the Marketing Cloud mobile app, SalesforceA, Salesforce Inbox, Quip, and integrations with Gmail™ and Outlook®.
Enabling MFA and user registration for Social Studio would follow the same process as your regular Salesforce login.
Depending on the MFA setup, users are either required to register a method the next time you log in, or you can defer registration until you’re ready for MFA. If you skip MFA, Social Studio reminds you every two weeks until you opt in to using it. When MFA is enabled, you must provide a verification method each time you log in to Marketing Cloud’s Social products using your username and password combination.
The MFA requirement applies to all customer sandbox environments, including Full, Partial, Developer, and Developer Pro sandboxes.
Once a sandbox is created or refreshed, all MFA for user interface logins user permission assignments are copied over from your production org. However, none of the MFA verification methods that a user has registered for your production org are copied to your sandbox. All MFA-enabled users must register an MFA method the first time they log in to a new sandbox.
Previous registered connection is invalidated each time the sandbox is refreshed and this connection will not be deleted automatically from Salesforce Authenticator. Users would need to delete the connection every time the instance has been refreshed.
API / Integration Users
MFA is not required for API/Integration Logins. However, if you require MFA for API access, you’ll need to enable the Multi-Factor Authentication for API Logins permission. With this permission enabled, users are required to complete a second authentication challenge to access Salesforce APIs.
Setting up Multi-factor Authentication
Enabling MFA for users
Tip! Before enabling MFA, you need to distribute the verification methods first so that users can get a head start with the registration.
- To enable MFA, you can ask your admin to follow the instructions and set multi-factor authentication login requirements.
- MFA for user interface logins can be assigned via custom profiles or using a permission set.
- If you’re using security keys, enable this option for your org.
Steps for users to register using the Salesforce Authenticator App
- Download and install the Salesforce Authenticator app from the Apple Store or Google Play on your mobile device.
- Note: you can also use any time-based one-time passcode (TOTP) authenticator app, like Google Authenticator™, Microsoft Authenticator™, or Authy™ or built-in authenticators, such as Touch ID®, Face ID®, or Windows Hello™
- Enter a username and password on your Salesforce product’s login screen.
- For products built on the Salesforce Platform, the Salesforce Authenticator screen displays by default. For B2C Commerce Cloud OR Marketing Cloud⎯Email, Mobile, and Journeys, select Salesforce Authenticator from the list of verification methods.
- Open Salesforce Authenticator and tap Add an Account. The app displays a two-word phrase.
- On the Connect Salesforce Authenticator screen, enter the phrase in the Two-Word phrase field, then click Connect.
- In Salesforce Authenticator, verify that the request details are correct, then tap Connect.
Steps for users to login to Salesforce using the Salesforce Authenticator
- On your Salesforce product’s login screen, enter a username and password, as usual.
- On the mobile device, respond to the push notification to open Salesforce Authenticator.
- In Salesforce Authenticator, verify that the request details are correct, then tap Approve to finish logging in to Salesforce.
Suggested Transition Strategy
- Identify which users will be required to use MFA.
- Decide if MFA roll out would include all users or introduce MFA in a phased approach.
- Communicate the change and provide promotional materials.
- Train users on how to register and use verification methods to log in with MFA.
- Provide materials that could help troubleshoot if there are any issues
- Update onboarding procedures to add MFA registration for new hires.