Admins / Security / Users

How to Prepare for Salesforce Multi-Factor Authentication

By Christina Christina Anderson

Reused or weak passwords have resulted in an increase in security breaches. Starting February 1st, 2022, Salesforce Multi-Factor Authentication (MFA) will be required to use Salesforce products in compliance with the End User Licence Agreement you signed when becoming a customer. Do you remember when Salesforce made the announcement? You may have seen it and said, oh yeah, I will get to that. Well, that key date is just around the corner. 

Need a refresher to help make the transition a little easier? I sat down with SaaScend’s VP of Sales Operations, Emily Fagan, to get the insight.

What is Salesforce MFA?

…and what does this mean for organizations?

Multi-factor authentication (MFA) is a process that requires a user to verify their identity two or more times before they are able to log into their Salesforce account. 

For example, have you ever tried logging into your Amazon account, when you are not on your phone or on your laptop? If you have, then you have probably been sent an OTP (One Time Password) in order for you to verify that you are who you say you are. This is a similar idea to how Salesforce MFA operates.

Right now Salesforce users can log in using their username and password, but come February 1st, 2022 (or a little after), they will need to verify themselves using one of the Salesforce approved MFA methods – that they are who they say they are. That’s providing the admin has enabled Salesforce MFA for their organization.

Salesforce products that include device activation must require MFA for every login.

What are the Salesforce Multi-Factor Authentication Methods?

  • Salesforce Authenticator App
  • Built-In Authenticators
  • Security Keys

Salesforce Authenticator App

The easiest and most cost-effective way. The Salesforce Authenticator App is a free app that users can download onto their smartphones. 

Here’s how to connect your Salesforce account to Salesforce Authenticator, in less than five minutes:

  1. Login to Salesforce and navigate to your personal settings by clicking on your Profile Image and selecting Settings. 
  2. Click Advanced User Details and scroll to App Registration: Salesforce Authenticator. Click Connect.
  3. Go to the Salesforce Authenticator app on your mobile device, tap Add an Account
  4. You will then receive a unique two-word phrase in the app, to then enter in the “Two-word Phrase Field” in your Salesforce browser window.

  5. Back in the app on your mobile device you will then see details about your Salesforce account where you will then be able to click Connect and complete the sync process.

Some people may already be using Google Authenticator or Microsoft Authenticator which can be used for Salesforce MFA as well. 

If a mobile app solution is not feasible, then there are other options that can be used such as built-in authenticators or security keys.

Built-In Authenticators

Built-in authenticators are from the user’s mobile device such as touch ID, face recognition, or a PIN that the user has set up in their operating system. This is available for Heroku, Marketing Cloud, Datorama, and MuleSoft Anypoint Platform. Right now it is a beta service for products built on the Salesforce platform. However, this method is bound to the user’s device, if the user logs into Salesforce on multiple devices, then the built-in authenticator will need to be registered on each device.

Security Keys

A security key is a small physical token that works as a verification method for MFA logins. Security keys are easy to use because there’s nothing to install and no codes to manually enter, however, this is a paid option. Examples are Yubikey by Yubico or Google’s Titan Security Key.

Which MFA Method Would You Recommend?

It depends on your users, but for the majority of the cases I will recommend the Salesforce Authenticator App. It is straightforward, easy to use, and there are a ton of resources for the steps that need to be taken. As long as your workforce has access to smartphones, downloading this app and verifying themselves in your Salesforce account is only a 3-5 minute process.

Then in the future, if there is any kind of cyber-attack or if someone is trying to log in that is not them, users will receive a notification and be able to deny that access to their Salesforce instance.

Admin Steps for Rollout

1. Identify whether or not Salesforce MFA has already been enabled. Admins enable this through permissions or profile settings under Setup. 

  • Login as an administrator. From Setup, go to Profiles and select a profile. 
  • Scroll down and click System Permissions
  • Scroll down to the permission set, Multi-Factor Authentication for User Interface Logins, if that box is not selected, then MFA has not been enabled for that particular profile. 
  • Go into each profile and confirm whether or not MFA has already been enabled and then consider a phased or a mass rollout depending on your team.

2. Send out communication to your users. Let them know when you will enable the permission set and give your users all the resources ahead of time that they need to understand what steps they will need to take.

How Will this Affect Pardot (Account Engagement) Users?

As Pardot users experienced migrating to Salesforce Single Sign-On last year, they will also need to have Salesforce MFA enabled

This will not impact the Salesforce Pardot Connector. MFA is not required for API/Integration logins and the connector uses the Salesforce API to sync data to Salesforce. If your organization is not using the B2BMA integration user, it is recommended to enable MFA for the connector user.

What Happens if Teams Do Not Prepare for Salesforce MFA?

There are two ways to define this question:

  • What happens if admins do not enable Salesforce MFA?
  • What happens if admins do not communicate that they’ve enabled Salesforce MFA?

If no prep is done by the Salesforce Admin, come February 1st, they will be in breach of the End User Licence Agreement (the binding agreement you signed when becoming a customer). Salesforce is contractually enforcing MFA by updating their liability position – in other words, what you can expect them to do should a data breach occur and you haven’t enabled MFA for your users.

If admins do not communicate that they’ve enabled Salesforce MFA, you are going to have a lot of frustrated users saying, “I can’t log into Salesforce, someone please help me.” This means a very long day for Salesforce Admins that then need to scramble to get communication out and walk users through the process, costing precious time out of everyone’s workday.

I highly recommend you start preparing now. Relay the following to your users:

  1. What MFA is
  2. Why is it so critical
  3. The steps they will need to take
  4. And that it only takes a few minutes

This will help to ensure a smooth transition for everyone.

Final Piece of Advice?

That MFA is super important and you should do it. Data security is a topic that we hear about all the time. Companies have an enormous amount of data in their Salesforce instances and it is their responsibility to ensure that data remains secure and not open to cyber attacks, phishing attacks, and account takeovers. 

MFA is essential in today’s workforce landscape where more and more people are working remotely. Whether you are working at home, a coffee shop, or an airport, you need to ensure an extra layer of protection for you and your company’s data for if something catastrophic happens, such as your device gets taken, or is hacked.

A data breach could mean fines, lawsuits, a loss in your brand’s integrity, and the collapse of the business. Therefore, take the steps, it only takes a few minutes; be proactive and prepare your team for Salesforce MFA.

The Author

Christina Christina Anderson

Christina is the Head of Content at SaaScend. She is the Former Host of the Pardot Life Hacks podcast, and Leader of the Marketing Life Hacks community.


    January 24, 2022 6:18 pm
    Are you sure about "MFA is only when they are using a new device or they are in an unrecognized location". I don't think it what Salesforce is saying ... unfortunatly. Ref :
    Rudy Tixhon
    January 25, 2022 10:44 am
    Hello and thanks for the article. Maybe interesting to add that if you are using an Enterprise SSO for the login of your users the enforcement of the MFA is not an issue. You will have only to take care about your admin users who are probably using login/password to log in the system.

Leave a Reply