As you might already know, on February 1st, 2022, the Salesforce MFA requirement went into effect. At this point in the timeline, Salesforce users are contractually required to start using MFA, or multi-factor authentication, to sign into their orgs. Orgs that have not already enabled MFA would have this setting automatically turned on at this point, although admins can disable it again if they are not ready. However, this option will eventually be removed.
As an end-user, you may be wondering – what is multi-factor authentication? Why is Salesforce requiring it? And what’s the point of making it more difficult to just log into my org? Let’s look at the answers to those questions – and how this all plays into maintaining good data security in the long run.
What is Multi-Factor Authentication?
Multi-factor authentication is a multiple-step login process. After logging in with your regular credentials, you’ll be asked to perform one additional step to verify that you’re truly the user meant to be signing in.
You may have encountered MFA outside of Salesforce before. Have you ever tried logging into a website or application, and had a code texted or emailed to you to verify with? That’s multi-factor authentication. There are many ways for an outsider to acquire your credentials – but they likely won’t have access to your e-mail or phone. This extra step prevents any bad actors from having access to your data – and in this case, you’ll know that someone tried to get in in the first place.
Text and email aren’t the only ways that MFA can be used. Many applications require you to have a separate application on your phone to log into and generate a code. With your permission, other applications can also use the camera to scan your face to verify that it’s you (think Face ID on iPhones). There’s even hardware-based authentication options, such as inserting a special card into your computer before being able to login. There are many secondary authentication methods that are already out there – and depending on what applications, devices, and websites you’re using, they can all look a little different.
Why is Salesforce MFA Required?
Data breaches are occurring more and more frequently – and the damages incurred from these breaches are incredibly costly. Perhaps you’ve already received letters from businesses you use letting you know that your information may have been exposed to hackers.
You may be wondering how hackers are so good at knowing a system well enough to break into it – but in reality, much of the time it’s because it’s easy to get access to someone’s credentials. Maybe you left your new password on a post-it note. Maybe someone found the answers to your security questions by scrolling through your social media and reset your password. Hackers gain so much information through social engineering, which makes many data breaches possible – and makes it more important now than ever to lock down data.
With the constant threat of security breaches, MFA is a solution that reduces the odds of many of these threats. In their FAQ, Salesforce states that usernames and passwords on their own are no longer enough to protect from cyberattacks, citing a study from Interpol that cyberattacks have been on the rise in the past few years. MFA is one of the more simple solutions that are effective in keeping organizations secure.
What does MFA look like in Salesforce?
Salesforce itself provides several options for setting up MFA. If you’re already using a third-party application such as Okta, Salesforce highly recommends sticking with these solutions to keep the implementation process simple. Otherwise, Salesforce has several options for fulfilling the MFA requirement.
One of the simplest implementation methods is by using the Salesforce Authenticator App. This app will require users to sign in to the app when signing in to verify that they are attempting to sign in. If you’d prefer users to use a third-party app to sign in, such as Microsoft’s Authenticator app,
Another valid method of MFA for Salesforce is by using a security key, which is a small physical device that can be easily inserted into your device without any installation process.
Finally, in-device authenticators can use used as an MFA method. These include methods like fingerprint verification or scanning your face to enter.
In conclusion, there are several ways the MFA requirement can be fulfilled, each with its own benefits and caveats such as user experience and for some, costs. If they haven’t already, your administrator will select an authentication method that best suits your org’s needs.
Summing Things Up
MFA in Salesforce, while it might seem to be an annoying extra step for users, actually does quite a bit of work to prevent bad actors from accessing your data. Security breaches can be costly in many ways, and by having MFA enabled in your org, you’ll be saving it quite a bit in the long run. As technology becomes more and more complex, so will the steps that we take to keep our data secure – making it easier to innovate and build solutions for others.
I hope this introduction to Salesforce MFA requirements was useful. And if you have any questions, feel free to reach out!
Julie Anna Contino
Jr. Developer
Julie Anna is a junior developer with a passion for learning and problem-solving. She graduated with a Bachelor's degree in Computer Science and has four years of development experience. She's excited to be a part of the Salesforce ecosystem and combine her previous experience with her passion for helping clients thrive.
About Roycon
We’re an Austin-based Salesforce Consulting Partner, with a passion and belief that the Salesforce platform’s capabilities can help businesses run more efficiently and effectively. Whether you are just getting started with Salesforce or looking to realize its full potential, Roycon specializes in Salesforce Implementations, Salesforce Ongoing Support, and Salesforce Integrations, and Development. We’re the certified partner to guide the way to increase Salesforce Adoption, make strategic decisions, and build your Salesforce Roadmap for success.