Multi-Factor Authentication (MFA) is the process of adding additional security to your systems by requiring a secondary verification during login. It is a widely used practice to help avoid online fraud and identity theft. Salesforce is requiring users to verify their identity through multiple factors from February 2022. In this blog we will go through what MFA is and how you can get MFA enabled in your environment.
What is Multi-Factor Authentication (MFA)?
MFA or Multi-Factor Authentication, requires a user to use multiple pieces of evidence (called factors) to prove their identity when authenticating to a system.
The first factor is simple: this is your username and password.
The second factor can be provided by one or more of a number of items:
- Salesforce Authenticator app
- Third-Party Authenticator apps, e.g.: Auth, Google Authenticator, Microsoft Authenticator
- Security Keys, e.g.: Yubikey, Titan Security Key
Using more than one factor provides security, because if someone gains access to your username and password, it is unlikely they will also be able to access a verification method on your mobile or a security key.
How does Multi-Factor Authentication differ from one-time passcodes?
One time passcodes that are sent to text (SMS), email or phone calls don’t meet the requirements of MFA. This is because email credentials can be compromised, and text messages and phone calls can be intercepted.
Why should I plan for MFA?
From February 1st 2022 Salesforce will require internal Salesforce users to use MFA in order to access Salesforce products.
How is MFA enabled?
MFA is enabled once the permission ‘Multi Factor Authentication for User Logins’ is checked and assigned – but there are a lot of things to take into consideration first before checking that box.
What if we use SSO?
If an organisation uses Single Sign On, you can enable the SSO’s MFA service, or enable MFA for users on the Salesforce platform.
What about Admin access?
Users such as Admins who log directly into Salesforce must have MFA enabled on the Salesforce platform.
Admins should use at least two different authentication methods, and you should have at least two users with permissions to manage users and MFA settings.
Also consider keeping a Security Key onsite or in a safe place – all these actions will enable admins to recover access if they find themselves locked out of the system.
How do I prepare my users for MFA?
Read and implement the Rollout Pack:
Our top tips are as follows:
Check who has access to a mobile device. The simplest way to prepare for MFA is for users to download the Salesforce Authenticator app from the App Store or Google Play, or to download a third-party authenticator app.
Purchase security keys for users without mobile devices. To complete the second factor of the authentication, users connect the security key to their computer via a port or wirelessly. Then they press the key’s button to confirm their identity.
At a push, Third-Party Authenticator apps downloaded to a computer desktop can meet MFA requirements but using separate physical devices such as a mobile or security key is preferable. This is because if someone gains access to your username and password, they may have also gained access to your laptop or computer.
Once you have taken action to implement MFA, answer these questions to ensure your implementation meets the MFA requirements.
MFA for End Users
How does MFA change the login process?
Once a user provides their username and password on the login screen, they will be prompted to add an authentication method. Instructions on how to use the Salesforce Authenticator are provided as standard, but another method can be chosen by clicking on the ‘Choose Another Verification Method’ link.
Logging in using the Salesforce Authenticator app for the first time
Once you have the Salesforce Authenticator app installed on your device, when you enter your username and password details to Salesforce in the browser you will see the following screen.
The Salesforce Authenticator app will provide you with a two-word phrase to enter in the box below and click ‘Connect’.
You will then be asked to verify your details in the Salesforce Authenticator app. If your username and the service look correct, click ‘Connect’ to complete the process and access Salesforce.
Logging in using the Salesforce Authenticator app
On entering your username and password details to Salesforce in the browser, a push notification will be sent to your mobile device.
When you open the Salesforce Authenticator app on your phone you can review details of the login attempt. If you are sure that the attempt was generated by you, click ‘Approve’ to complete the process and access Salesforce.
We recommend you complete your own investigation and form your own implementation plan for MFA before making any changes to your system. The attached list of recommended reading is a good place to start. We can advise and assist you in rolling out MFA.
ABOUT CLOUD GALACTICOS
Cloud Galacticos is a Salesforce Consulting Partner with an all-star team. We are user and developer group leaders, bloggers, MVPs and all round Salesforce nerds. Our Salesforce consultancy has people all over the UK including Manchester, Leeds, Newcastle, Sheffield, and London.
If you’re looking for more advice on MFA, our team of experts can guide you though the new features and updates. We can also support you through projects. Why not find out more about our Managed Services package?