Admins / Platform / Security / User Experience / Users

Enabling Salesforce MFA: Top 5 Methods for Salesforce Admins

By Tom Bassett

Salesforce contractually required Multi-Factor Authentication (MFA) for anyone directly logging in since February 1st 2022. 

It’s likely you’ve already made the switch and enforced this for your users. In this article, we’ll explore the requirement in detail and run through five MFA methods to offer users to be contractually compliant.

What Is MFA?

Multi-Factor Authentication requires two or more factors to gain access to a system. For example, a Username and Password along with a verification code. 

This isn’t to be confused with Device Activation which may require a Verification Code by Email when you log in from a new device for the first time. 

Who Needs to Use MFA?

If you’re logging in to Salesforce via the UI at login.salesforce.com or your My Domain URL, then you need to use MFA. This includes the Salesforce Mobile App. 

External Users that log in via an Experience Cloud Site are not required to use MFA and currently, Salesforce doesn’t require MFA for sandboxes, although this is advised as best practice to secure data. 

1. Salesforce Authenticator

The Salesforce-provided option for MFA comes in the form of Salesforce Authenticator. This is a mobile app available on the App Store and Google Play. 

You can set up a Trusted Location so requests from a location and specific device are explicitly approved or Einstein can automatically trust the same location once it’s been used three times. 

Using the Salesforce Authenticator App, you can back up and restore your saved login codes should you need to change devices or your mobile device is lost, stolen, or damaged. 

You can also enroll in Lightning Login so that when you log in from the same device you no longer need to enter a password and Salesforce Authenticator instead acts as the MFA requirement.

2. One-Time Password Generator

If you’re already using Google Authenticator, Microsoft Authenticator, or another tool, you may want to use that for verification codes instead of Salesforce Authenticator. 

There are many of these tools to choose from and you have the freedom to use these on desktop or mobile which is handy if you don’t issue users’ mobile devices. 

During enrollment, you have the option to scan a QR Code or copy/paste a Security Key if you’re on a desktop. As long as the app you choose supports TOTP, you’re set to go.

3. Built-In Authenticators

Do you use Windows Hello or Touch ID? If so, did you know you can use these as MFA Methods too? 

From Setup, enable Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello to allow users to connect these types of methods. 

Once enabled, when users enroll they can select a built-in authenticator from the list of devices and this can also extend to biometric peripherals if users use them. 

4. Physical Security Keys

If you have users that don’t have a mobile device and you don’t want the ongoing cost of a One Time Password Generator on Desktop (as these are usually paid) you can opt for a physical device. 

This is usually in the form of a USB Device that you plug in to verify. Different models can support NFC and USBC too. 

These will come with an initial cost and you’d have to factor in replacements if devices should be lost, stolen, or damaged, but this is a cheaper option than a mobile device.

READ MORE: Fast and Secure MFA: Unlock Salesforce With a Physical Key

5. Single Sign On (SSO) 

If you have users sign in via Single Sign On (SSO), you can offload the MFA requirement to the SSO provider.

If you use something like OKTA or Microsoft, then this has to be verified with a strong method. If users rely on codes via Email, SMS or Voice, then this doesn’t meet the requirement.

Should your SSO not meet the requirements, then you can either enforce stricter methods or opt to use Salesforce MFA instead. For the best user experience and control, it’s easier to have one system doing the driving!

Other Methods

Trusted Corporate Devices, Trusted Networks, or Certificate-Based Authentication do not satisfy the Salesforce MFA requirement on their own.

When using Risk Based or Continuous Authentication, if this is integrated with your SSO solution, then you do meet the Salesforce requirements.

Comparison Table

To break down the main options, refer to the below comparison table:

  • Form Factor refers to the type of device that is required for a method e.g. Mobile or Desktop.
  • Relationship refers to the relationship between the method and a user, indicating if a user can have multiple methods of the same type (One to Many) or only one of that type (One to One).
  • Cost refers to the fee for obtaining this method. This assumes users already have a Mobile or Desktop device where this is the Form Factor. 
Form FactorRelationshipCost
Salesforce AuthenticatorMobileOne to OneFree
One-Time Password GeneratorMobile, DesktopOne to OneFree or Paid
Built-In AuthenticatorsDesktopOne to ManyFree or Paid
Physical Security KeysUSB, Lightning, NFCOne to OnePaid
Single Sign OnMobile, DesktopOne to ManyPaid

Management

If you’re already using Salesforce or about to make the switch, then there are a few tips and tricks to ease the admin burden when it comes to MFA.

Be sure that users have access to the necessary devices to meet the requirement, such as a mobile device with Salesforce Authenticator or a Physical Security Key. 

Encourage users to register multiple methods against their account – that way if they lose access to one they have a backup and don’t have to disturb an admin to regain access. Users can manage their methods from their Personal Settings too.

From setup enable Show all verification method registration options instead of starting with Salesforce Authenticator so the system doesn’t default to Salesforce Authenticator when a new user logs in for the first time. This is especially useful if you want users to use a different method. 

As a Salesforce Admin, you can disconnect a User’s MFA Method(s) from their User Record. For Salesforce Authenticator, One Time Password Generator and Security Keys simply press Disconnect from the necessary field and the next time the user logs in they’ll be forced to re-enroll. If you’re using a Built-In Authenticator, you can disconnect these from the related list on the User Page. 

Summary

MFA is important to ensure that your data remains secure and in the hands of trusted users. 

Be sure to comply with the Salesforce requirement and offer users a range of methods so they can choose whatever option works best for them without impacting user adoption.

Other Resources

The Author

Tom Bassett

31x Trailhead Certified, 11x Accredited Professional, 2x Slack Certified with 6+ years experience. Passionate about helping other Trailblazers as a Forum Ambassador, Salesforce Ben Expert Author, FlowFest Judge/Speaker, Co-Leader of the London Architect Community Group, Podcast Host, Dreamforce Speaker and Community Speaker. Based in London working as a Solution Architect.

Leave a Reply