Salesforce Multi-Factor Authentication
So if you’ve heard any recurring themes in Salesforce’s upcoming changes lately, it has definitely been around the upcoming MFA enforcement, which is also clearly why you’re here reading this. Well, you’ve come to the right place, this is your one-stop-shopping for all things MFA, what to expect, and what’s going to happen on February 2, 2022.
What is MFA?
The first questions usually asked are “What is MFA?” and sometimes “Aren’t we already doing that with verification emails?” The answer to the first question is rather direct, it simply means Multi-Factor Authentication. The accepted definition of MFA is:
An authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.
Often times MFA is explained as something you know, like a password, combined with something you have, like a phone, or access to an email address. This leads to the second question, and the existing 2FA (Two-factor Authentication) that Salesforce uses, being a texted or emailed code. Salesforce feels that current verifications are not secure because emails and texts are not inherently secure.
So what does the MFA flow look like?
This brings into the conversation something called an Authenticator App, which is something you’d run on your phone. An Authenticator is an app that you would leverage to prove you “have” your phone, and it would pair to a login process as illustrated below:
After logging into the Salesforce org, it would tell you to confirm on your phone that you are authorized to log in. Once you tap approve on your phone, it drops you into Salesforce on whatever device you originally logged in on. It’s actually a pretty seamless process, and far less intrusive than I had actually thought it would be at first.
What’s really happening on February 2, 2022?
On February 2, 2022 Salesforce will begin requiring customers to enable MFA in order to access Salesforce products. This means that you need to set up MFA on or by that date to be in compliance with the Salesforce contracts and agreements.
So the next logical question is to ask who’s affected. Well, this will affect Internal Salesforce users (including Chatter Only type users), but not Experience (Community) users. This should be a moment for you admins out there to breathe easier, as you don’t need to suddenly alert and change login processes for your entire customer user group, just your internal users. In addition, you don’t need to worry about API Integration users, or Automated Testing users, only the ones that use direct logins to the UI, Device Activations, and SSO users.
Got it, so I need MFA in February, but what can I use to meet this need?
Well, you’ve got a number of options. If you’re already using something to act as an IDP to log into, then using SSO to sign into Salesforce then as long as that other system uses MFA you’re fine, no worries and you’re done.
If you’re not using SSO currently then you’ve got a few options. The simplest and most recommended would be to use the Salesforce Authenticator App. If you don’t wish to use that, you could also use a third-party Authenticator App such as Google Authenticator. The third common option would be to leverage the Lightning Login functionality of Salesforce, which counts as an MFA-based login.
So how do I enable MFA in my org?
The good news is that it’s a pretty direct process to enable MFA in a Salesforce org:
Setup Multi-Factor Authentication Permission Set
Permissions need to be provided to each end user in order to ensure compliance with the MFA requirements. This may be completed with a new permission set or by updating a current permission set(s) assigned to each user in the Salesforce organization.
The System Permission “Multi-Factor Authentication for User Interface Logins” needs to be added to the current or new Permission set.
Assign the new or newly updated permission set to all Internal users needing MFA
That’s really all there is to it. Now when users who were added to the MFA permission set log in, it will give them instructions to set up an Authenticator App, which again we suggest should be Salesforce Authenticator.
Going on from here…
So once all that is set up, the end result is (if you used the Salesforce Authenticator) each of your users is going to need to tap something on their phone before Salesforce lets them log in. Rather simple and a great way to ensure a little more security is applied to your Org without hugely frustrating your users.