MFA or Multi-Factor Authentication is a way of authenticating your organisation’s log in to Salesforce. As you may have noticed on a lot of your everyday digital accounts, MFA is becoming common practice to ensure that employees and customers are protected from threats such as identity theft, phishing attacks and account takeovers.

MFA is different from Single Sign On (SSO), which relies on your company’s local authentication method rather than Salesforce’s login process. MFA adds an extra layer of security by requesting users to enter two or more verification methods to prove their identity during the login.

Beginning February 1, 2022, all Salesforce customers will be contractually required to use MFA in order to access Salesforce products. To help customers meet the requirement, Salesforce will begin automatically enabling MFA for users who log in directly to Salesforce products, however your System Administrator will still have the option to disable MFA if their users aren’t ready yet, up until the requirement deadline.

After the requirement deadline, Salesforce will gradually start enforcing MFA by making it a permanent part of the direct login process and removing controls for admins to disable it. Auto-enablement and enforcement dates will vary by product. To see the dates/deadlines referring to your product/s CLICK HERE.

How does it work?

Once MFA is enabled, users will be required to enter two or more pieces of evidence to ensure they are who they say they are when they login.

1. Users will need to login using their username and password.
2. Users will then be prompted with a verification method the user has in their possession, such as an authenticator app or security key. Salesforce does offer an authentication app but there are many options available. The app would be installed on the user’s phone while the security key is an actual physical key (a USB key, for example) that is linked to the user’s computer.

Email, SMS text messages and phone calls will not be allowed to be used as MFA verification methods because email credentials are more easily compromised, and text messages and phone calls can be intercepted.

What is the Difference between Passwords, MFA and SSO?

Passwords
Passwords have been the main tool or verification used throughout the years, however this method of verification can be highly vulnerable. Passwords usually consist of a combination of words, numbers and special characters but it does rely on the individual person to choose their own, and more often than not the chosen password will be something safe and familiar (so they can easily remember them).

Single Sign-on (SSO)
SSO means that you only need one set of credentials to access a range of apps or websites where you are assumed to be the user. Facebook, Google, and Microsoft are common SSO providers. SSO does not satisfy MFA requirements on its own.

MFA would still be required to access a Salesforce product’s user interface, whether by logging in directly or via SSO. If your Salesforce instance is integrated with SSO, you need to enable MFA to all users as well.

MFA
MFA is a set of credentials, but with a much deeper verification. This feature will stop anybody from logging into a website, system or app if the organisation is not verified. Users will be required to enter two or more pieces of evidence to ensure they are who they say they are when they login.

Customer and Partner Communities (Experience Cloud)

External users that use Community, External Identity or Employee Community licenses are not required to have MFA enabled.

Mobile and Desktop Apps

All Salesforce mobile and desktop apps that are accessed through user interface logins would need to use MFA.
This includes Salesforce Mobile App, the Marketing Cloud mobile app, SalesforceA, Salesforce Inbox, Quip, and integrations with Gmail™ and Outlook®.

Social Studio

Enabling MFA and user registration for Social Studio would follow the same process as your regular Salesforce login.
Depending on the MFA setup, users are either required to register a method the next time you log in, or you can defer registration until you’re ready for MFA. If you skip MFA, Social Studio reminds you every two weeks until you opt in to using it. When MFA is enabled, you must provide a verification method each time you log in to Marketing Cloud’s Social products using your username and password combination.

Sandbox Environments

The MFA requirement applies to all customer sandbox environments, including Full, Partial, Developer, and Developer Pro sandboxes.
Once a sandbox is created or refreshed, all MFA for user interface logins user permission assignments are copied over from your production org. However, none of the MFA verification methods that a user has registered for your production org are copied to your sandbox. All MFA-enabled users must register an MFA method the first time they log in to a new sandbox.

Previous registered connection is invalidated each time the sandbox is refreshed and this connection will not be deleted automatically from Salesforce Authenticator. Users would need to delete the connection every time the instance has been refreshed.

API / Integration Users

MFA is not required for API/Integration Logins. However, if you require MFA for API access, you’ll need to enable the Multi-Factor Authentication for API Logins permission. With this permission enabled, users are required to complete a second authentication challenge to access Salesforce APIs.

Setting up Multi-factor Authentication

Enabling MFA for users

Tip! Before enabling MFA, you need to distribute the verification methods first so that users can get a head start with the registration.

1. To enable MFA, you can ask your admin to follow the instructions and set multi-factor authentication login requirements.
   • MFA for user interface logins can be assigned via custom profiles or using a permission set.
2. If you’re using security keys, enable this option for your org.

Steps for users to register using the Salesforce Authenticator App

Download and install the Salesforce Authenticator app from the Apple Store or Google Play on your mobile device.

• Note: you can also use any time-based one-time passcode (TOTP) authenticator app, like Google Authenticator™, Microsoft Authenticator™, or Authy™ or built-in authenticators, such as Touch ID®, Face ID®, or Windows Hello™Enter a username and password on your Salesforce product’s login screen.

1. For products built on the Salesforce Platform, the Salesforce Authenticator screen displays by default. For B2C Commerce Cloud OR Marketing Cloud⎯Email, Mobile, and Journeys, select Salesforce Authenticator from the list of verification methods.
2. Open Salesforce Authenticator and tap Add an Account. The app displays a two-word phrase.
3. On the Connect Salesforce Authenticator screen, enter the phrase in the Two-Word phrase field, then click Connect.
4. In Salesforce Authenticator, verify that the request details are correct, then tap Connect.
   

Steps for users to login to Salesforce using the Salesforce Authenticator

1. On your Salesforce product’s login screen, enter a username and password, as usual.
2. On the mobile device, respond to the push notification to open Salesforce Authenticator.
3. In Salesforce Authenticator, verify that the request details are correct, then tap Approve to finish logging in to Salesforce.

Suggested Transition Strategy

1. Identify which users will be required to use MFA.
2. Decide if MFA roll out would include all users or introduce MFA in a phased approach.
3. Communicate the change and provide promotional materials.
4. Train users on how to register and use verification methods to log in with MFA.
5. Provide materials that could help troubleshoot if there are any issues
6. Update onboarding procedures to add MFA registration for new hires.

Author’s Note January 2022:

Pre-release notes for Spring ‘22 are now available and highlight two features that specifically impact your MFA roll-outs.
You will find information relating to Multi-Factor Authentication for Logins to Subscriber Orgs in the release notes. For general FAQs on MFA roll-outs you can click HERE

For additional information concerning Admins using “Login As” check out the release notes.

LOGINS TO SUBSCRIBER ORGS Release Notes HERE

LOGIN AS Release Notes HERE