Back to Home
Carl Peter Schwartz
Location
Stockholm, SE
Phone
+46 73 534 90 28
Email me: hi@carlpeterschwartz.com
Linkedin
Trailblazer.me

Salesforce Multi-Factor Authentication

Salesforce Multi-Factor Authentication
Flashback to March 15, 2021

In early 2021, Salesforce announced that beginning February 1, 2022, customers will be required to enable Multi-Factor Authentication in order to access Salesforce products.

Salesforce encouraged customers to start planning immediately for this requirement.

What is Multi-Factor Authentication?

Salesforce Multi-Factor Authentication adds an extra layer of protection by requiring two or more methods of identity verification each time a user logs into Salesforce.

The first verification method is something the user knows: username and password. The second method can be something the user has in their possession, such as the Salesforce Authenticator mobile app or a physical key.

How does Multi-Factor Authentication work?

If a user's password is somehow stolen or compromised, it is very unlikely that an attacker will also have the additional verification method (Authenticator mobile app or physical security key) in their possession. This prevents the attacker from gaining unauthorized access.

How can I enable Multi-Factor Authentication?

The actual steps to enable Salesforce Multi-Factor Authentication are quite simple, but it is smart to plan ahead before flipping any switches.

Identify a small group of users for initial testing and feedback. Better to work out a few bumps in the road during testing than face a tidal wave at roll-out.
Analyze the impact of MFA on test users and their daily work flow. This can help when creating a communication plan to prepare and guide users during the transition to MFA.
When everything looks good, stakeholders are informed, and users are well prepared, then enable MFA by applying the appropriate permission set to your target users.

Now that we have a plan in place, let's go hands-on step by step on how to implement Multi-Factor Authentication for a more secure Salesforce org.

For more information, check out the resources and slides below.

Resources:

Let's get started with Salesforce MFA. In Salesforce Setup, type "Session Settings" in the Quick Find box. When setting up MFA for admin users, it is important to make sure that Multi-Factor Authentication is in the High Assurance category.
Enabling MFA for users is as simple as creating a permission set with the "Multi-Factor Authentication for User Interface Logins" user permission included, and then assigning it to your selected users. Click New to create a new permission set.
For this example, let's name the permission set "Multi-Factor Authentication for User Interface Logins". The API Name will update automatically. Click Save.
Click System Permissions to find the "Multi-Factor Authentication for User Interface Logins" permission.
Select the checkbox next to Multi-Factor Authentication for User Interface Logins and the click Save. Click Save again to confirm the changes.
Now that we have the permission set, we need to assign it to the user. Click Manage Assignments.
Currently there are no users assigned to our MFA permission set. Click Add Assignments.
Here was can assign specific users to our MFA permission set. For this examples, 1) click the checkbox next to the user named Martha Factor and then 2) click Assign to assign the user to the permission set.
Success! Martha Factor now has MFA enabled in her Salesforce account. How can she use MFA? She has chosen to download the Authenticator mobile app and connect it to her Salesforce account.
Already logged in to her Salesforce account on her deskstop, Martha opens the Authenticator app on her mobile device and is greeted with Let's Get Started. Click Add an Account.
The Authenticator mobile app will display a unique (and often amusing) two-word phrase. You will need to enter these two words in the next step.
Enter the two words into the Two-Word Phrase field that displays in the desktop Salesforce interface. Then click Connect.
The Authenticator mobile app will display brief notification with details about the account. Everything looks good so far, so let's click Connect.
Great! Martha is now logged into Salesforce and the Authenticator mobile app is succesfully connected with her account for future verifications.
When logging in using MFA, Salesforce keeps track of the username, service, device, and location. If someone else attempts to log into your account without your approval, you can deny the request in the Authenticator mobile app.
Now, logging in to Salesforce using MFA and the Authenticator app is quick and easy. All these user needs to do is click Approve in the notification on their mobile device. Voila. Safe and secure with Salesforce MFA!
BACK TO HOME