What is Multifactor Authentication for Salesforce?
As of February 2022, Salesforce has redoubled its efforts to get users to commit to MFA. What does it mean?
Businesses are having to contend with an ever-increasing number of cyberattacks that threaten their data. Given that an estimated 90% of security breaches occur as a result of phishing or similar human error, relying on passwords alone isn’t enough. Not even strong passwords guarantee protection from unwanted intruders. That’s why, as of February 2022, Salesforce has redoubled its efforts to get users to commit to multi-factor authentication.
What is MFA?
Multi-factor authentication simply adds an additional step into the log-in process that ensures that whomever is trying to log-in is a legitimate user. Rather than relying solely on a password that can be compromised, MFA requires the user to possess a separate security key or authentication app to go with the password. The chances of potential intruders having access to both are very unlikely. Someone illicitly gaining access to both factors would be indicative of endemic problems in an organisation’s data security policy as opposed to anything else.
What Kind of MFA does Salesforce Allow?
While the switch to MFA might seem like a lot of hassle and possibly prohibitive, especially for smaller companies, Salesforce allows for several different MFA solutions to make the transition as painless as possible without compromising security.
- Salesforce Authenticator App: This makes verification incredibly easy as it integrates directly with your Salesforce itself. Users will simply receive a push notification on their mobile phone as part of the log-in process meaning that the extra security isn’t at the expense of usability.
- Security Keys: These usually look a little bit like a USB drive. They’re simple to use and don’t require any additional software or a mobile phone. All users have to do is insert the key as they log-in. As Salesforce allows for a variety of different device formats including USB, Lightning and NFC keys companies don’t need to worry about finding an option that works for them.
- Built-in Authenticators: Several mobile devices and operating systems can handle authentication natively including FaceID and Windows Hello.
- Third Party Authenticator Apps: These apps generate temporary codes that are regularly refreshed automatically using the OATH time-based one-time password algorithm. Like the Salesforce Authenticator app all the user needs to log-in is a mobile device with internet access.
If I’m a Salesforce admin, what do I need to do to enable MFA?
Enabling MFA is very easy and can be done in a matter of minutes.
- Firstly, you’ll need to make sure that you’re logged in as an admin.
- Secondly, go to the Setup menu, go to profiles and select a profile.
- Find System Permissions
- Then, look for the permission set. Once you’ve found it, look for Multi-Factor Authentication. If the box is already selected, don’t do anything, MFA is already active.
- If the box is not selected, select it to turn MFA on.
- Depending on whether you’re aiming for a mass or phased rollout, check your other profiles and activate MFA for those as well.
What will happen if I don’t properly prepare for MFA?
As an admin, if you fail to communicate clearly with your users before you enable Salesforce MFA, you’re probably going to upset a lot of people. You can almost certainly expect a surge in tickets asking why they can’t log in and then spending an entire day of walking people through the log-in process. So, for everyone’s sake, give people time to prepare for the change and make sure the new process is made abundantly clear beforehand.
Alternatively, what about if you believe your system to be secure enough already and don’t want to waste time enabling MFA? Well, in this case, you may want to rethink your position. Salesforce is updating their End User agreement and won’t be held liable for breaches that occur with MFA not enabled.
Multi-factor authentication is vital, there’s no reason why you shouldn’t embrace it. You can’t say that you’re truly committed to cyber security if you refuse to take this relatively easy step to ensure that your company’s data is made vastly safer.
With more people working outside the office than ever before, companies need an extra layer of protection, without MFA a lost device becomes a possible gaping hole in your security.
When even a fairly minor data breach can result in fines, lawsuits and damage to a company’s reputation, why even take the risk?
If you haven’t done it already, your first step after closing this article should be to prepare your team for MFA.