Signing into Marketing Cloud and the corresponding security continues to evolve to provide even more peace of mind amongst Marketing Cloud end users, the IT department, and CIO/CISOs. In this article, I will break down the numerous options Marketing Cloud Administrators are able to provide their end users to simplify and secure the login process including an overview of the recently required Multi-factor Authentication (MFA) options.
Say Goodbye to Email Verification
In the recent past, the primary method in addition to the standard Username and Password combination to validate a Marketing Cloud user sign-on utilized email verification. This verification would arrive in the end user’s inbox with a code, then the code would be pasted back into Marketing Cloud to complete the login (you know the drill). This was a 2-factor authentication (2FA for the acronym lovers of the world) that did the job but also was not considered as secure as other methods of multi-factor authentication. The email verification does protect a Marketing Cloud user’s account if a bad actor happens to gain access to a Marketing Cloud user’s username and password because it requires that same bad actor to gain access to the corresponding email inbox. And there we have the slight security hole that remains…a bad actor would only need access to that user’s email inbox to complete their sign-in. Although this is unlikely to occur, it is still possible for a bad actor to gain access to each security data point needed to hack into an account.
Enter Multi-factor Authentication
Multi-factor Authentication is a more secure method of authenticating into an application than email 2fa because it takes the email inbox out of the equation and replaces it with a mobile device and an authentication app installed on the mobile device. This is inherently more secure because not only would a bad actor need to obtain your Marketing Cloud username and password, but they’d also need to steal your phone, and authenticate into your phone (you do have some type of password enabled on your phone, right?!) and then use the authenticator app. Since mobile phones typically live on the person and as a best practice should have a password, fingerprint, or facial recognition security enabled to access the phone, MFA makes hacking into your Marketing Cloud much more unlikely to ever occur. This is likely the primary reason Salesforce and Salesforce Marketing Cloud now require MFA for all users. Regardless of the reasons, MFA is here to stay and will be required on all Marketing Cloud users by August 9, 2022.
MFA Options within Marketing Cloud
There are 3 Multi-Factor Authentication options for your users within Marketing Cloud. Any method can be utilized by your users and you do not need to select one specific option for every user (although from an enablement and management perspective, there could be benefits for all users using the same MFA method). The MFA options…
- Salesforce Authenticator App
- Time-based One-Time Password Authenticator (known as TOTP)
- Security Key hardware
Salesforce Authenticator App
Selecting the Salesforce Authenticator app for your MFA authentication method seems like a natural fit given you are using it to log in to Salesforce products. And it is in fact easy to implement and configure. Besides Quip, Heroku, Marketing Cloud, Sales Cloud, and other Salesforce products…the Salesforce Authenticator app can be used for other services besides Salesforce products (like LastPass or Github, for example).
Depending on the specific product you’re attempting to utilize the Salesforce Authenticator app to….authenticate, you will sometimes receive a Push message in the app that asks for your approval to complete the sign-in. Some products will require you to insert the 6-digit code from the Authenticator app back into the product you’re signing into. Both methods are relatively simple to complete and make the signing-in process that much more secure as a result.
Time-Based One-Time Password Authentication (TOTP)
The Time-Based One-Time Password Authentication process is very similar to utilizing the Salesforce Authenticator app. The primary difference for the end user is that the TOTP app (Microsoft Authenticator, Google Authenticator for example) requires taking a 6-digit auto-refreshing number and entering it back into the Marketing Cloud login screen. Not difficult to do, and the secure number is only known by the user of the app (which should be the end-user)!
One slightly more expensive MFA option that utilizes hardware for authentication is a Security Key. There are at least 2 products that can be used for this MFA approach with Marketing Cloud…the Google Titan Security Key and the Yubico YubiKey.
Using this method of authentication would require the purchase of additional hardware, which could be cost-prohibitive. The hardware would then be required to be available to plug into the computer being utilized to access the Marketing Cloud. If the security key is lost or damaged, then the user would need to utilize an authenticator app instead.
Just like the Authenticator apps, the Security Key could be utilized to authenticate for multiple Marketing Cloud accounts as well as other non-Salesforce services.
This method may not be appropriate for all organizations due to cost, however, this is a nice Marketing Cloud MFA feature.
Can I use all 3 methods for each user?
Technically it is possible to enable each of the 3 methods for every user. It is recommended by Salesforce to set up at least 2 MFA methods for every user (with 1 method being the requirement). In a situation where a Security Key is the primary method and that key is lost, the secondary MFA authenticator app method could be utilized. Or in a situation where one authenticator app just isn’t loading, the secondary app
One scenario where more than one MFA method would also be applicable…when multiple administrators need to access the sign-in for an Integration user (one that is utilized to integrate with Sales Cloud, for example). This would then provide more than one user with the ability to sign in as the Integration user. Admin 1 might authenticate with the Salesforce Authenticator app and Admin 2 might utilize the TOTP app.
What if I do not want to implement MFA at all?
As previously mentioned, MFA will be automatically required by Salesforce on August 9, 2022. However, one workaround does allow an organization to essentially bypass the 3 specific MFA methods by utilizing Marketing Cloud’s Single Sign-On feature. When using Single Sign-on for authentication into Marketing Cloud, MFA is not required when your organization’s Single Sign-On process utilizes MFA.
Marketing Cloud SSO requires that you utilize an Identity Provider (such as Okta or Microsoft Azure, or even Salesforce CRM!). If you already utilize an Identity Provider to allow your users to log in to other applications, then you are that much closer to using this same Identity Provider for Marketing Cloud SSO access. There are some specific configuration steps that must be made in your Identity Provider and within your Marketing Cloud account to enable and configure, but the overall process generally is easy to implement.
Where does my organization go from here?
As you can see, there are several methods, strategies, and configurations necessary to set up MFA. Do you need help with MFA or Single Sign On? Cloud for Good helps our clients each week with these exact challenges – we can assist your organization and get your Admins and end users ready to access Marketing Cloud securely!
You May Also Enjoy:
- Blog: Pardot’s Name Has Changed – What Does This Impact?
- Blog: Understanding the New Vision + Vocabulary of Marketing Cloud
- Blog: Crafting Clear Marketing Communication with Pardot Email Preference Centers
- Success Story: Creating an Omnichannel Marketing Experience with Teach For America and Marketing Cloud