Customers who don’t enable MFA by February 1, 2022, will be out of compliance with their contractual obligations. Salesforce recommends speaking with your legal team to understand the implications of not enabling MFA by the required date.
MFA may be a large change for some customers. The goal with the MFA requirement is to help protect business and Salesforce is here to help you find a path forward to avoid security and compliance implications for your company. If you’re concerned about satisfying the requirement, reach out to your Salesforce representative. We’ll work with you to find a solution.
Greg Poirier, Founder of Salesforce Partner CloudKettle and an expert in business security tech, explains the trend. “That security issue is not new,” he said. “What is new is that the volume of attacks and resources and efforts going into security attacks on-at-home employees has increased significantly. What’s happening is people are working way harder in the last year to exploit it. And that’s what makes it more important.”
Customer trust is the highest priority at Salesforce. The global threat landscape is constantly evolving, and the types of attacks that can cripple a business and exploit consumers are on the rise. It’s more important than ever to implement stronger security measures. This is why Salesforce has announced a future requirement for all customers to enable MFA. Multi-Factor Authentication [MFA] is one of the easiest, most effective methods to prevent unauthorised account access and safeguard your Salesforce data.
Why is it important?
- User credentials on their own, do not provide enough protection against threats such as phishing attacks, credential stuffing, and account takeovers.
- MFA requires users to prove they are who they say they are by providing two or more pieces of evidence when they log in.
- MFA is available at no extra cost.
MFA Verification Methods
You might be wondering what types of verification methods you can use to access your Salesforce accounts? Well, Salesforce has come up with three different ways for Multi-factor Authentication and you can allow any or all of these methods:
- Salesforce Authenticator App
- The Steps
- When a user logs in, they receive a push notification on their mobile device.
- The Salesforce Authenticator App tells the user the following:
- What actions need to be approved
- Which user is requesting the action
- Which service is requesting the action
- What device the user is using
- The location from which the request is made.
- With the information mentioned above, the user can quickly and confidently approve or deny the authorisation request. They can also automate the extra authentication step when working from a trusted location.
- If the user’s mobile device doesn’t have connectivity, they can still log in using six-digit TOTP codes generated by Salesforce Authenticator.
- Third-Party Authenticator Apps
- Google Authenticator
- Microsoft Authenticator
- The Steps
- Third-party apps generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm (RFC 6238).
- To log in using this type of verification method, the user gets a code from a TOTP authenticator app, then enters that code during the Salesforce log-in process.
- TOTP authenticator apps generate temporary codes on the basis of a secret key (known only to the user and the service, such as Salesforce) and the current time. A code is valid for 30 seconds and then a new one is generated.
- TOTP authenticator apps can generate codes even if the user’s phone doesn’t have a data or internet connection.
- Security Keys
- Yubico’s YubiKey
- Google’s Titan Security Key
- The Steps
- Security keys are small physical devices that are easy to use because there’s nothing to install and no codes to enter.
- This is a great option if users don’t have a mobile device or if cell phones aren’t allowed on the premises.
- Security keys make MFA logins fast. A user simply:
- 1. Connects their key to the computer
- 2. Presses the key’s button to verify their identity
- Security keys require a supported browser to act as an intermediary between the key and Salesforce.
We hope these quick tips are useful for you.