Fast and Secure MFA: Unlock Salesforce With a Physical Key
With security always on everyone’s minds in this digital era, it’s no wonder that lengthy passwords and security questions are no longer sufficient to protect our data, especially in an Enterprise environment.
Since early 2022, Salesforce has been taking steps to (initially) auto-enable and (gradually) enforce MFA across their platform and products by making it contractually required. As a Salesforce Admin, what can you do to ensure compliance alongside a smooth user experience?
This post will explore how YubiKeys can answer this question, as well as the setup process and the experience of logging in to a Salesforce work environment – even with the additional security layer in place.
Understand Salesforce Multi-Factor Authentication (MFA)
While the chances are that you are already familiar with MFA Salesforce, even if you’re not, this is something that the majority of industries and products have been using for quite some time. The first example that comes to my mind is online credit card payments that have to be approved within the mobile application.
The idea behind MFA is for the user to prove their identity when logging in to Salesforce by using two different factors: something they know (usually the password), and something they have (such as a mobile app or a physical key). For the latter, Salesforce currently supports the following options:
- Salesforce Authenticator mobile app
- A third-party authenticator app (such as Google Authenticator)
- An authenticator built in your computer (like Touch ID)
- Physical security keys (such as Yubico’s YubiKey, which we will explore below)
As mentioned above, Salesforce is gradually auto-enabling and enforcing MFA. While in an ideal scenario all Salesforce orgs out there have MFA already enabled, this most likely isn’t the case – if you haven’t already gone through setting up MFA, make sure you check out the notes from the Multi-Factor Authentication (MFA) Enforcement Roadmap. Additional information pertaining to MFA impact, auto-enablement, and enforcement can be found in this help article.
What Is the YubiKey?
As a physical device you connect to either your laptop, phone, or tablet, YubiKey adds an additional security layer for systems and applications you use either in your day-to-day job or in your private life. Be it Salesforce, GitHub, or even Windows, YubiKey can be registered with a plethora of solutions to ensure your information is always protected against cyberattacks.
YubiKey is phishing-resistant and compatible with multiple authentication standards such as WebAuthn/FIDO2 and, of course, OTP – therefore, it’s a feasible option for many legacy systems as well as the newer ones. In addition, the device itself does not need to be recharged, it’s water resistant, and (as you’ll learn when we go through the setup below) it does not require any additional software installation to secure your Salesforce org. You can find more about how this product works here.
When looking forward to meeting the Salesforce MFA requirements, Yubico’s YubiKey can prove to be a great ally, with a wide range of keys to choose from available at different price points – all of which are compatible with your CRM. While I tested the YubiKey 5C NFC and Security Key C NFC (representing both the midrange and the more affordable range), there are other options worth exploring, such as the Bio Series keys.
Let’s dive into how exactly YubiKeys work with Salesforce!
Salesforce Setup Process
Now that we have covered what MFA and YubiKey actually are, let’s finish the Salesforce setup. There are a few easy steps to follow to allow physical keys to be used and to ensure MFA is required, and then, of course, registering your YubiKey.
In Setup, either within the Session Settings or Identify Verification, you will be able to check the two boxes for “Let users verify their identity with a physical security key” and “Require multi-factor authentication for all direct UI logins to your Salesforce org”.
The good news is that, after these settings are done, users can navigate to their Advanced Settings and self-register.
Once a user clicks on the “Register” link, they will be prompted to insert the YubiKey into their USB port, touch it, and give it a name of their choice.
You will notice that, when prompted to insert and touch the YubiKey, the “Y” will start blinking to get your attention. This will also happen every time the key is used to confirm your identity when registering a new Salesforce instance. You can read more about the ease of use here.
Following the set up, users or admins can go back at any time and remove the physical key from the User record if needed. While the same YubiKey can be used to connect to multiple Salesforce orgs, at this time, you cannot have multiple keys simultaneously connected to the same user in the same org. You can vote for this idea to encourage Salesforce to prioritize it for future releases.
Note: Yubico recommends having at least one spare key to ensure you do not lose access to your accounts, just in case the main one is lost or stolen. Even if there isn’t a way to register multiple keys with your Salesforce account at this time, this should be considered for other applications.
Now that the YubiKey is properly registered on the Salesforce org, it’s time to log back in. After inputting the username and password, users will be prompted with a message to insert their key to confirm it’s actually them logging in.
In addition to logging back into my Developer Edition orgs from a laptop, I also wanted to try the mobile experience as MFA should be enforced even when logging in from a mobile browser. As you can see below, I was prompted to choose the way I wanted to use my YubiKey – I went for the NFC option.
For this particular method, I only had to keep the YubiKey close to my phone for a few seconds, and that was it!
All in all, I’d say that the idea of completing Multi-Factor Authentication with a physical security key to confirm your identity feels like a breeze now.
YubiKey was easy to set up for multiple Salesforce orgs, and the best part? It doesn’t have to be limited to Salesforce – even if you’re using it as an individual or a business, having the flexibility to protect your accounts and data across multiple platforms with a single key (plus eventual spare ones where possible), all while ensuring a user-friendly experience, is a match made in heaven!
Find out everything there is to know about the different available YubiKeys on the Yubico website – from pricing to the potential risks these keys can mitigate.