How to Prepare for Salesforce Multi-Factor Authentication
To address security risks, Salesforce has implemented multi-factor authentication for users with access to a Salesforce org. Effective February 1, 2022, all users are contractually required to use multi-factor authentication (MFA) when accessing Salesforce products. Later this year, Salesforce will start enforcing MFA, making it a permanent part of your org’s login experience. We’ve created a straightforward guide so you can ensure your org is prepared for these changes and can benefit from increased data security.
Multi-factor authentication is a login method in which a user is granted access only after presenting two or more pieces of identity verification. A common example is being asked to enter a code that was texted to your mobile phone, along with your password when you log in to a platform. With data security threats constantly evolving, it’s important to be proactive in implementing strong security measures. Check out our recommendations below!
Why is multi-factor authentication necessary?
As cyber threats including phishing attacks, credential stuffing, and account takeovers continue to rise, platform access requiring only usernames and passwords is no longer sufficient. MFA offers an added layer of security at no extra cost. The principle behind MFA is that one piece of evidence (one factor) is something the user knows, like a password or PIN. The other factor is something the user has, like a smart card, authentication app, or security key. Using this method of two-layer protection makes it much harder for a bad actor to gain access to your Salesforce instance.
To fit the needs of individual organizations, Salesforce is offering different versions of MFA, including mobile apps and hardware devices. To help manage implementation, Salesforce is creating reports and dashboards for monitoring usage, and temporary verification codes that give users access if they’ve lost or forgotten their verification method.
What’s the timeline?
For each of your Salesforce products, you’ll receive notice before auto-enablement goes into effect, with a minimum of six months' notice before MFA is enforced.
“On a customer’s behalf, Salesforce turns on MFA for all users who log in directly to a Salesforce product’s UI. Users who weren’t previously using MFA are prompted to register for it the next time they log in and can’t proceed until they do so. Users who were already logging in with MFA aren’t affected. For some products, MFA will be auto-enabled several months prior to enforcement. During this time, admins can temporarily disable MFA if their users aren’t ready for it yet.” - Salesforce.com
For detailed timelines for each Salesforce product, please reference the enforcement roadmap table here.
What do I need to do?
Adding multi-factor authentication to your login process can be pretty painless. When logging in, the user will be prompted to enter their username and password, as usual, then they will be asked to provide a verification method. Any or all of the below methods are acceptable:
- Salesforce Authenticator App (a free, integrated option used on a mobile device)
- Third-party TOTP Authenticator App (there are many apps available including Google Authenticator, Microsoft Authenticator, or Authy)
- Single sign-on tools (some options include Bitwarden, Azure, and Okta)
- U2F-Compatible Security Key (this is a great option if users don’t have a mobile device or if cell phones aren’t allowed on the organization premises. Options include Yubico’s YubiKey and Google’s Titan Security Key)
- Built-In Authenticators (these verify a user’s identity using a device’s biometric reader, such as a fingerprint, iris, or facial recognition scanner. These include Windows Hello, Face ID, and Touch ID features on your device)
If you are your organization’s admin, we recommend following the steps below:
1. Prepare: determine which verification method will work best for your team or organization, then plan the rollout, implementation, and testing of your MFA system.
2. Roll Out: engage and prepare users for MFA requirements and distribute verification method(s).
3. Manage: collect feedback and ensure that users are using MFA.
Check out the MFA group on Trailhead to ask questions and troubleshoot MFA adoption.
Navigating changes in technology can be an overwhelming task. We hope this guide has provided some structure for your team. At Idealist Consulting, we offer various levels of Salesforce Managed Services to help your organization manage the constantly evolving Salesforce landscape and optimize your CRM. These services can range from on-call tech support to a consultant acting as an in-house admin. If you are interested in speaking with one of our consultants about these changes or would like to explore any service offered by Idealist Consulting, get in touch with us by clicking the button below!