What to Consider when Securing Salesforce with Multi-Factor Authentication

Securing your Salesforce Org

Ensuring your Salesforce org is secure and keeping up with the ever-evolving security landscape can be a challenging balancing act. To protect customer data, Salesforce recommends setting up Multi-Factor Authentication, MFA for short, for all users logging into Salesforce through the user interface.

Forward-looking statement: Salesforce will begin requiring customers to enable MFA beginning February 1, 2022 in order to access Salesforce products. 

The good news is that MFA is available at no extra cost and Salesforce offers several options for verification. Let’s dive in and learn more about it.

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) is an authentication method that requires users to present two or more pieces of evidence-or factors-in order to log in.

Previously, Salesforce would speak of 2FA (Two-Factor Authentication), but now we’re focused on MFA (Multi-Factor Authentication). The difference being that MFA provides functionality supporting two or more factors, whereas 2FA supports two factors only.

What is the benefit of using MFA?

MFA is an effective and easy way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. By requiring multiple factors to authenticate upon login, a Salesforce Administrator can ensure a more secure org and protect their business and data against security threats.

What are Factor Types?

Factors refer to the ways that you can authenticate yourself in order to login. These factors can consist of

• Something you know: username and password
• Something you have: a physical object such as a security token (USB) or key
• Something you are: physical characteristic of the user (biometrics); includes fingerprint, iris scan, voice
• Somewhere you are: connected to a specific network or GPS location

Security Partnership

Trust is the #1 priority at Salesforce, which is why Salesforce is promoting a security measure such as multi-factor authentication. However, the responsibility to focus on security does not solely rest on Salesforce’s shoulders. Customers have a responsibility to adopt security, monitor activity, protect data, and stay up-to-date with security updates. Internet Creations, as your trusted Salesforce Partner, is here to assist you with the implementation of new security features and provide consultation on best practices.

What MFA Verification Methods does Salesforce currently support?

Salesforce currently supports three groups of verification methods for MFA:

• Salesforce Authenticator mobile app
• Third-Party authenticator apps
  • Google Authenticator
  • Microsoft Authenticator
  • Authy
• Security keys
  • Yubico’s YubiKey
  • Google’s Titan Security Key

Wait, what about SMS, email, or phone?

Email, SMS text messages, and phone calls aren’t allowed as MFA verification methods because email credentials are more easily compromised, and text messages and phone calls can be intercepted.

Important: While MFA will not be mandated in Salesforce Communities, if you do implement MFA in communities, SMS is an option for verification.

What is Salesforce’s plan?

• Renamed all references to two-factor authentication to multi-factor authentication in permissions and documentation
• Require MFA starting in February 2022 (forward-looking statement; we’ve seen dates shift)
  • Note: Salesforce issued a correction on February 8th, 2021 stating that “MFA is required, not just recommended, for internal users who access Salesforce products via SSO.”
• In February 2021, Salesforce started communicating notice of this upcoming mandate for all clouds and products
• Not ALL Salesforce products currently support MFA or are consistent in their implementation (Salesforce is working on bringing parity)
• Introduced Multi-Factor Authentication Assistant in Setup

How is this different than when I log in on a different browser?

There are two types of identity verification in Salesforce, service-based and policy-based security. Whenever we log into Salesforce from a different browser or from a new computer, we must provide verification of our identity. This is called service-based identity verification, which is available out-of-the-box. Now, with MFA, you can add a new layer of security on top of it with policy-based identity verification.

• Service-based (device activation)
  • Auto enabled for all orgs
  • User must provide verification from unrecognized browser or application
  • Not considered as part of MFA (insecure)
• Policy-based (MFA)
  • Admin enabled
  • Multi-factor

What should you keep in mind with MFA?

Here are several things to keep in mind when rolling out MFA.

What are the System Permissions related to MFA for user interface logins?

• Multi-Factor Authentication for User Interface Logins
  • Require users to provide an additional verification method in addition to their username and password when logging in to Salesforce orgs.
• Manage Multi-Factor Authentication in User Interface
  • Use tools in the user interface to manage and provide user support for multi-factor authentication.

What about MFA for API logins?

• API logins are not currently part of Salesforce’s mandate to use MFA.

What happens if a user loses or forgets their device?

• Admins can generate temporary verification code that can be set to expire 1 – 24 hours by adding the Temporary Code field to a User list view and clicking “Generate.”

Can Salesforce Authenticator auto-approve logins?

• Salesforce Authenticator can automatically verify identities based on geographic location (phone’s geolocation) or trusted IP addresses.

Implementation and Activation Steps

The following steps need to be taken in order for MFA to be implemented and activated.

1. The Salesforce Admin assigns the permission set with the “Multi-Factor Authentication for User Interface Logins” system permission enabled to users who should be required to use MFA.
2. The Salesforce User chooses their MFA Verification Method and connects it when logging in.
3. The Salesforce User verifies login through their verification method.

Rollout Plan

It is critical to have a user rollout plan. While the steps to enable MFA are fairly straightforward, it is important to still do the necessary prep work and communication to ensure a seamless rollout. As a resource, we highly recommend using the Multi-Factor Authentication Assistant in Salesforce Setup to walk through the steps to get ready, roll out, and manage MFA.

1. Formulate a robust project plan for your MFA rollout and work with your stakeholders to gather and evaluate requirements. Create internal processes for how to offer support with MFA-related issues in the future.
2. Communicate the change to MFA early and often to your users so that they are prepared. Using MFA can be disruptive if they are not prepared. Give your users specific steps to follow on how to prepare.
3. Salesforce Admin creates a permission set with the system permission “Multi-Factor Authentication for User Interface Logins.” 
   1. Note: The use of permission sets allows you to roll out MFA to individuals or groups of users in phases.
4. IMPORTANT: Test MFA in a sandbox environment before rolling it out in production. Make sure to use a Test User so you don’t accidentally lock yourself out of the environment. 
   1. Note: In addition to enabling MFA in production, Salesforce recommends enabling MFA in any sandbox environment that includes production data. If the sandbox has sample data, masked data, or no data, MFA is not necessary.
5. Launch a pilot in production with a smaller user group to test MFA.
6. The Salesforce Admin continues to monitor any changes to MFA in future Salesforce releases.

How can Internet Creations help?

As a Salesforce Partner with a deep knowledge of the platform, we are well-equipped to help you and your organization implement Multi-Factor Authentication and ensure you are following the Salesforce security best practices.

Reach out to us at Internet Creations here.

Learn More!

Take advantage of the Salesforce content below to learn more about MFA.

Get More Information About MFA 

• Admin Guide to Multi-Factor Authentication
• Salesforce MFA FAQ
• Introduction to Salesforce Authenticator (video)
• Secure Account Access With MFA (webinar) 

See More Details About Implementing MFA 

• Launch Multi-Factor Authentication (video) 
• How to Roll Out Multi-Factor Authentication (help) 
• Multi-Factor Authentication (help) 

Learn About MFA Using Trailhead 

• User Authentication
• Identity Basics 
• Security Basics 

Get More Information on Security

• Security Health Check 
• Salesforce Shield 
• Salesforce Security Guide
• Security — Salesforce Trust Site 

Join the MFA discussion in the MFA – Getting Started Trailblazer Community!