Salesforce contractually required Multi-Factor Authentication (MFA) for anyone directly logging in since February 1st 2022.
It’s likely you’ve already made the switch and enforced this for your users. In this article, we’ll explore the requirement in detail and run through five MFA methods to offer users to be contractually compliant.
What Is MFA?
Multi-Factor Authentication requires two or more factors to gain access to a system. For example, a Username and Password along with a verification code.
This isn’t to be confused with Device Activation which may require a Verification Code by Email when you log in from a new device for the first time.
Who Needs to Use MFA?
If you’re logging in to Salesforce via the UI at login.salesforce.com or your My Domain URL, then you need to use MFA. This includes the Salesforce Mobile App.
External Users that log in via an Experience Cloud Site are not required to use MFA and currently, Salesforce doesn’t require MFA for sandboxes, although this is advised as best practice to secure data.
1. Salesforce Authenticator
The Salesforce-provided option for MFA comes in the form of Salesforce Authenticator. This is a mobile app available on the App Store and Google Play.
You can set up a Trusted Location so requests from a location and specific device are explicitly approved or Einstein can automatically trust the same location once it’s been used three times.
Using the Salesforce Authenticator App, you can back up and restore your saved login codes should you need to change devices or your mobile device is lost, stolen, or damaged.
You can also enroll in Lightning Login so that when you log in from the same device you no longer need to enter a password and Salesforce Authenticator instead acts as the MFA requirement.
2. One-Time Password Generator
If you’re already using Google Authenticator, Microsoft Authenticator, or another tool, you may want to use that for verification codes instead of Salesforce Authenticator.
There are many of these tools to choose from and you have the freedom to use these on desktop or mobile which is handy if you don’t issue users’ mobile devices.
During enrollment, you have the option to scan a QR Code or copy/paste a Security Key if you’re on a desktop. As long as the app you choose supports TOTP, you’re set to go.
3. Built-In Authenticators
Do you use Windows Hello or Touch ID? If so, did you know you can use these as MFA Methods too?
From Setup, enable Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello to allow users to connect these types of methods.
Once enabled, when users enroll they can select a built-in authenticator from the list of devices and this can also extend to biometric peripherals if users use them.
4. Physical Security Keys
If you have users that don’t have a mobile device and you don’t want the ongoing cost of a One Time Password Generator on Desktop (as these are usually paid) you can opt for a physical device.
This is usually in the form of a USB Device that you plug in to verify. Different models can support NFC and USBC too.
These will come with an initial cost and you’d have to factor in replacements if devices should be lost, stolen, or damaged, but this is a cheaper option than a mobile device.
5. Single Sign On (SSO)
If you have users sign in via Single Sign On (SSO), you can offload the MFA requirement to the SSO provider.
If you use something like OKTA or Microsoft, then this has to be verified with a strong method. If users rely on codes via Email, SMS or Voice, then this doesn’t meet the requirement.
Should your SSO not meet the requirements, then you can either enforce stricter methods or opt to use Salesforce MFA instead. For the best user experience and control, it’s easier to have one system doing the driving!
Other Methods
Trusted Corporate Devices, Trusted Networks, or Certificate-Based Authentication do not satisfy the Salesforce MFA requirement on their own.
When using Risk Based or Continuous Authentication, if this is integrated with your SSO solution, then you do meet the Salesforce requirements.
Comparison Table
To break down the main options, refer to the below comparison table:
- Form Factor refers to the type of device that is required for a method e.g. Mobile or Desktop.
- Relationship refers to the relationship between the method and a user, indicating if a user can have multiple methods of the same type (One to Many) or only one of that type (One to One).
- Cost refers to the fee for obtaining this method. This assumes users already have a Mobile or Desktop device where this is the Form Factor.
Form Factor | Relationship | Cost | |
---|---|---|---|
Salesforce Authenticator | Mobile | One to One | Free |
One-Time Password Generator | Mobile, Desktop | One to One | Free or Paid |
Built-In Authenticators | Desktop | One to Many | Free or Paid |
Physical Security Keys | USB, Lightning, NFC | One to One | Paid |
Single Sign On | Mobile, Desktop | One to Many | Paid |
Management
If you’re already using Salesforce or about to make the switch, then there are a few tips and tricks to ease the admin burden when it comes to MFA.
Be sure that users have access to the necessary devices to meet the requirement, such as a mobile device with Salesforce Authenticator or a Physical Security Key.
Encourage users to register multiple methods against their account – that way if they lose access to one they have a backup and don’t have to disturb an admin to regain access. Users can manage their methods from their Personal Settings too.
From setup enable Show all verification method registration options instead of starting with Salesforce Authenticator so the system doesn’t default to Salesforce Authenticator when a new user logs in for the first time. This is especially useful if you want users to use a different method.
As a Salesforce Admin, you can disconnect a User’s MFA Method(s) from their User Record. For Salesforce Authenticator, One Time Password Generator and Security Keys simply press Disconnect from the necessary field and the next time the user logs in they’ll be forced to re-enroll. If you’re using a Built-In Authenticator, you can disconnect these from the related list on the User Page.
Summary
MFA is important to ensure that your data remains secure and in the hands of trusted users.
Be sure to comply with the Salesforce requirement and offer users a range of methods so they can choose whatever option works best for them without impacting user adoption.
Other Resources
- Salesforce Multi-Factor Authentication FAQ
- Salesforce Authenticator for MFA
- Third-Party Authenticator Apps for MFA
- Built-In Authenticators for MFA
- Security Keys for MFA
- Turn On MFA for Single Sign-On (SSO) to Salesforce Orgs