MFA aka Multi-Factor Authentication will be a potential big topic next year as Salesforce announced that it will be mandatory from February 2022.
After a few iterations they went from mandatory, enforced and auto-enabled to contractually required, but obviously the higher security requirements are here and we should pay attention. The help article still says they will auto enable it (in September – October 2022) at the same time there was enough communication that they will not do that and customers have to enable themselves. We will see.
Where you can find more info:
- dedicated site;
- FAQ;
- Quick Guide for Admins;
- What’s Top of Mind for Salesforce Trailblazers;
- Trailblazer Community.
And now what it means for people in the organisation?
Management view
Obviously management is the first one to make any decision and communicate it properly inside the organisation. From my point of view they need to decide only on one thing – what is the form of MFA they want to support, as there are multiple of them:
- Single Sign-On (SSO) – if all users have to login through other system (read MS Office or Google Account) and MFA is enforced there, it is good for Salesforce as well. For users it means one password less as during login they will use their Google/Microsoft/any other login details and security should go up as well as you will have one less system where you need to deactivate users immediately after they leave (you still want to deactivate them one day to free the licence);
- physical key such as YubiKey, so you can order them in advance. For users it means one more thing to carry with them but might work for those without clever phones. Or check Amazon what they sell;
- Salesforce Authenticator – application for mobile phones from Salesforce with some extra handy features (such as secure location and auto confirm of login), can be used only with Salesforce;
- any 2FA/MFA application such as Google Authenticator/Microsoft Authenticator/1Password which generates numbers users need to enter during their login;
- Lighning Login – just enter your login name and confirm on mobile phone.
Last step – communication. I feel it is pretty easy for users to enrol themselves, but every user is different and they might need to be prepared.
Admins view
Management decided, you „just“ need to enable it. Go to profile(s), change the „Session Security Level Required at Login“ to High Assurance or check the „Multi-Factor Authentication for User Interface Logins“.
After that you can monitor how it goes.
Users view
Ok, admin enabled something new, you missed all the communication around it and now are stuck at this nice page after you entered your name and password.
Good news – it isn’t as hard as it looks. Just download the Salesforce Authenticator from the App Store/Google Play, install, open and click the „Add Account“ button. It will tell you two words you will enter into the dialog, confirm on both sides and you are good to go.
Don’t want another app?
But maybe you don’t want to install another app for 2FA/MFA. In such case click the small link at the bottom and see the following screen.
Use you existing 2FA app (Google Authenticator/Microsoft Authenticator/1password or other), scan the QR code, enter the number you will get and you are good to go. For 1Password running on computer you need to click the icons in toolbar, choose the right login and on top right click the 3 dots and you can see „Scan QR Code“ choice there.
Shared Users
I know I know. It isn’t contractually allowed and no-one share one user with multiple people, but you might need it. Actually a lot of partners do this because the customer cannot provision user licence for every member of the team on production especially as they normally don’t need it. But with MFA enforced we need to find a way out.
Here are three of them.
Use different method for each user
Every user can choose up to 3 methods how to confirm the login. Just go to specific user or to advanced details in preferences and you will see them.
Meaning one person can use Salesforce Authenticator, second any 2FA app (aka One-Time Password Authenticator), and third the physical key.
Click on the Enroll link next to each choice and let the respective user follow the steps.
Even though it looks like Lightning Login is a separated choice it re-use the Salesforce Authenticator and you cannot use it on different device.
Upside (or downside) of this solution – the user with Salesforce Authenticator will be notified of every login as there is – by default – automatic notification of login request.
Register at the same time
Second method works only for the One-Time Password Authenticator. As they are based on tokens based on time you can screenshot the QR code, distribute among the team and then all of them need to scan it at the same time, double check they can all see the same numbers and one of them will confirm the number in the dialog. For the future the numbers are generated in sync and all people can confirm their access on their own.
Use 1Password
If you use 1Password (mentioned above several times) you can share the password including the code with other people. Problem solved.
Have dedicated person
Ok, this is just a joke. One person can be the owner of MFA and have the one who needs to confirm every request, just call them. Good luck.
Update 4. 1. 2022
- you can check Amazon what U2F keys they sell;
- there is a known issue with Chrome 96+ which will deprecate support for these keys but Salesforce is aware of it.