What is multi-factor authentication (MFA) and why will it be required for Salesforce?
Multi-factor authentication (MFA) is an authentication method used during a sign-in process that requires a user to present multiple methods of identity verification before accessing a secure system. Authentication is achieved through a combination of things an individual may uniquely know (like usernames or passwords), have (like a mobile phone authentication app or USB key device), or be (like fingerprint or other biometric data). Most secure MFA models will require more than one of these categories, rather than multiple forms within the same category. In short, MFA strengthens your overall security process, ensuring that if one authentication method is compromised, additional method(s) are in place to act as safeguards preventing the exposure of your sensitive data.
Why do I need MFA?
The information security landscape is ever-evolving, and cyber attackers are more commonly gaining access to data centers using phishing attacks, brute force attacks, and the exploitation of other security weaknesses. If you are one of the 63% who reuses your favorite password across multiple tenants, MFA helps better secure your data, even if your password is compromised from other systems being breached. This extra layer of security provided by MFA will better secure your Salesforce data and help stop data breaches in their tracks.
Let’s say fictional employee Sid Gonzales is a Salesforce user who also accesses a WordPress account to publish his company’s success stories and advocacy messages. Sid, like many users, has reused their passwords for multiple work-based systems. Now let’s say Sid is the victim of a phishing attack, and the hacker manages to gain access to their WordPress password. Now the attackers can associate the password to Sid’s email account, as well as access other platforms which share that password and do not have secondary authentication set up. This hypothetical situation could have significant consequences if Sid has broad access to his organization’s donor data, which could be stolen, altered, or possibly held for ransom. This awful scenario is a clear case for the adoption and enforcement of MFA.
How can I become compliant?
You can become compliant with the MFA requirement either by enabling and governing MFA directly in your Salesforce org or by requiring single sign-on (SSO) into your organization through an identity provider that requires a username and password, as well as an additional strong verification method like those outlined above. You can even have different user groups satisfy the MFA requirement with different methods if elements of your current technology setup make this more favorable. Instructions for enabling MFA within your Salesforce product(s) can be found here, and general help in determining if you are MFA compliant, including links to help you assess whether your SSO provider meets these requirements, can be found here.
It is important to note that challenges that require one-time passcodes that are delivered by email, phone calls, or text messages (which many users experience today) are not sufficient for compliance, due to known vulnerabilities with these methods. The workflow users experience when signing in with these challenges will be similar in an MFA-compliant environment, but the secondary challenges will be more secure.
How do I prepare for MFA?
Though the enablement of MFA will be simple for many organizations, the rollout plan should be thought out with care so that users are prepared for the change and can seamlessly log in on day one of the new authentication processes. After all, what could be more harmful to adoption than users being unable to or unaware of how to sign in to the platform?
Key questions to help you plan for a smooth rollout include:
- Should we roll MFA out to a subset of users first or organization-wide?
- How long will testing occur on the new MFA process for sign-in and who will test it?
- Are all users trained on the application(s) or hardware(s) we will be using for MFA? Do different user groups need different training plans, documentation, or support?
- Should all users be authenticating using the same SSO or MFA methods, or might some user groups require alternative options?
You can also review the MFA Requirement Check on Salesforce Trust.
When do I need to take action?
The new MFA requirement for internal Salesforce users goes into effect on February 1, 2022, and any organizations that do not satisfy the requirement will be out of compliance with their contractual obligations. If you haven’t planned for MFA yet, you will want to do so immediately—for the sake of your organization, your users, and your constituents. For details on when MFA will be automatically enabled and enforced across different Salesforce products, see the MFA Enforcement Roadmap.