Editor’s note: This post was updated in February 2023 with the latest information and resources.
The increase in cyberattacks and phishing attacks — particularly ransomware attacks — driven by employees accessing corporate databases from any device or location has forced many companies to prioritize login security. That includes Salesforce, who, as of February 1st, 2022, has started MFA enforcement by requiring all of its customers to enable multi-factor authentication (MFA) to access its products.
To help customers make the transition to salesforce multi-factor authentication a little easier, we held a webinar on MFA requirements, which includes tips for implementation and adoption. Here are the top questions from that session, along with our answers.
What is MFA, and why is it so important?
MFA is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. One factor is something the user knows, such as their username and password. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key.
This is different from knowledge-based authentication, or KBA, which confirms identity by asking questions like, "what's your mother-in-law's maiden name?” While this is an extra security step, it's also known information that someone could look up on social media.
Because MFA requires dynamic data (a time-based one-time password, a security key, etc.), it’s a much more effective tool for enhancing login security and safeguarding your business and data against security threats.
What’s the difference between authentication and authorization?
While authentication and authorization are both integral to security, there is an important distinction between the two. Authentication is proving you are who you say you are, and that's done through identity verification. Once you prove who you are, authorization entails what rights, access, and entitlements you have to specific data and functionality. Within Salesforce, authentication is done with your username and password, while authorization is set by things like your profiles and system permissions.
The reason why authentication is so important is that even if you have a well-designed authorization model, once a bad actor takes over your identity, they then have access to all the things that your authorization applied to. This means unauthorized account access to important data.
What MFA methods are available?
The four main methods are SMS, an authenticator app, security keys, and built-in authenticators. Of the four, SMS is the most frequently used additional factor because almost everybody has it, and it’s relatively easy to manage. However, it’s also the least secure. Attackers can trick a telecom company into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you. In addition, you can get your SMS text sent to multiple devices like your phone, tablet, and computer. So if you don’t have each of those devices, you risk someone else seeing those messages.
In the webinar, we provide a more detailed overview of the methods and provide examples of each.
If I already have an authentication method in place, am I fulfilling Salesforce’s requirement?
If you’re using a security key, authenticator app, or have MFA enabled as part of a third-party single sign-on (SSO), you’ll comply with the new requirement. Salesforce supports any authenticator app that uses the U2F framework (you do not have to use the Salesforce authenticator app) and the FIDO2 web auth framework. So even if you have an authenticator app from Microsoft for example, it will fulfill the requirement for Salesforce.
If you're using SMS, you may want to think about transitioning to something more secure, like an authenticator app or security key to make sure that the two-factor authentication is as strong as it can be.
How do I actually implement MFA in Salesforce?
Once you have an MFA solution in place (authentication app, security key, SMS, etc.), it’s recommended that you take a phased approach. Migrating all of your users to MFA at once would be an admin's worst nightmare, simply from a support perspective.
To help inform your phased approach, you need to first take an inventory of your users. Your pilot users should be people who are quick to adopt change. Then, define your cohorts as you roll more people out. This could be based on region, department, or several other factors. In the webinar, we share how Own Secure can help with this step.
Change management is also an important step in the implementation process. Anytime you have a change that affects every single user, you need to provide support, whether it’s Slack channel or opening a Zoom call that people can just jump on and off whenever they have questions.
And finally, you want to be able to monitor how people are switching over to the MFA. This is another area where Own Secure can help.
What happens if I don’t enable MFA?
If your products don’t meet the MFA requirement because MFA for your SSO provider or SSO solution hasn’t been implemented, or the Salesforce MFA functionality has been disabled, you are not in compliance with your contractual requirement under the Main Services Agreement (MSA), which includes MFA terms of service as outlined in the Notices and Licenses Information section of the Salesforce Trust and Compliance Documentation. By not using MFA when accessing Salesforce products, you accept any associated risks.
Is MFA required for Sandboxes?
Currently, Salesforce sandboxes are exempt from the MFA requirement. But for B2C Commerce and Marketing Cloud Intelligence, MFA is required for sandbox environments. Marketing Cloud Engagement and Tableau Cloud do not have formal sandbox environments, so MFA is required.
Is MFA required for Salesforce Desktop and Mobile Apps?
Yes, the MFA requirement applies to all Salesforce, custom, AppExchange, and partner mobile and desktop apps that are accessed through user interface logins.
Fortify your data security with Own
While the new MFA requirement is a significant step in enhancing the security of your Salesforce environment, it’s just one piece of the puzzle. Because the data within Salesforce is ever-evolving, it will undoubtedly continue to put stress on your security posture. In addition, threats like misconfiguration of security and user access controls, leaked user credentials, accidental or malicious deletion of data and other vulnerabilities continue to pervade.
Own Secure strengthens your organization’s security posture by identifying data exposure risks and proactively automates the securing of your data – all within a managed package built natively on the Salesforce platform.
In addition to helping make your MFA implementation easier, Secure can help you:
- Identify data exposure risks: Strengthen security posture by understanding data exposure risks through six security lenses
- Classify sensitive information with ease: Isolate exactly where sensitive information exists in Salesforce and easily apply classification categories to prioritize remediation – without leaving Salesforce.
- Accelerate Salesforce Shield effectiveness: Proactively automate remediation of data vulnerabilities and encryption blindspots with detailed action plans and real time notifications.
- Prove compliance with industry regulations: Deliver real time evidence-based reports and audits to satisfy internal policies and external regulations in highly regulated industries.
Want a better idea of your organization’s Salesforce security posture? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.
Need additional Salesforce help? Review our Salesforce product suite including data protection, business continuity solutions, data archiving, and comprehensive backup & data recovery tools.