The RunDown on MFA in Salesforce

Login changes coming February 1, 2022

The RunDown:

What is MFA, and why do I need it?

MFA stands for Multi-Factor Authentication, meaning that users need to authenticate their sign-on with both a username & password and an added confirmation, like an email and text code. Or even more secure would be an outside MFA app that can generate a time-based one-time-password (TOTP). It is an added layer of protection to the account. MFAn is designed to help prevent unauthorized users from accessing an account. MFA helps protect against hackers, phishing attempts, and other security threats. With modern technology, it’s too easy for unauthorized users to gain access to a username and password combination, but much more challenging to also know the extra security code tied directly to your device.

Salesforce put together this video to explain how multi-factor authentication works to prevent further unauthorized account access.

https://salesforce.vidyard.com/watch/Zs9r7CyxF6Wu9rfNmMnmFf 

Salesforce will automatically enable multi-factor authentication for all accounts starting on February 1, 2022, and will be fully enforced by May/June of 2023 without the option to disable the feature.

What if I use SSO?

SSO, or Single Sign-On, will not meet the requirements for Salesforce’s MFA conditions down the line UNLESS that SSO system also has MFA enabled. Many SSO solutions will have an MFA option that can be added easily, but until that is activated, the SSO alone will not be sufficient to meet the needs for MFA. While a single-sign on is a convenient way to sign in to all your apps with a single username and password combination, that still leaves apps vulnerable to intrusion. By using multi-factor authentication, the accounts are much more protected and secure.

How to enable MFA within Salesforce:

The team at GrowthHeroes has put together this guide for implementing multi-factor authentication within Salesforce:

Adopting the Salesforce Multi-Factor Authentication (MFA) Requirement

 

Information needed

  • What verification methods can be used? 
    • Integrate your existing SSO or use authenticator until that is implemented
  • Other types of users that will require MFA?
    • Not required:
      • External Users
      • Chatter Free
      • API / Integration Logins

 

Preparation

  1. Evaluate which verification methods meet your business and user requirements. 
  2. Do an inventory of users, roles, and permissions to identify your privileged users ( top priority) and determine the level of effort for your project. 
  3. Plan rollout, change management, implementation, testing, and user support strategies.

 

Roll Out 

  1. Kick-off change management activities to engage and prepare users for MFA.
  2. Work with your support team to establish an access recovery process and train them to handle MFA issues.
  3. Distribute verification methods to users. 
  4. Enable MFA for user interface logins. 
    1. Use System Permissions, not Session Settings
  5. Help users register and log in with a verification method.

 

Manage

  1. Collect feedback and monitor usage metrics to ensure users are adopting MFA.
  2. Support ongoing operations and assist users with authentication issues.
  3. Optimize your overall security strategy.

For further information