Salesforce MFA: The Multi-Factor Impact on Your Org

08/27/2021 by Blake Mahaffey
Have no fear, multi-factor is here — and so is this guide on how to handle this potentially difficult Salesforce security upgrade.

On February 1, 2022, Salesforce will require all customers to enable Multi-Factor-Authentication (MFA) to access Salesforce products. MFA is a security technology that requires users who log into systems to provide two or more pieces of evidence to prove that they are who they claim to be.  

These pieces of evidence (called factors) can be several different things – like passwords, physical security keys, possession of a mobile device, biometrics data, and location. The user must provide at least two of them to securely login to a system. 

Wait, my business already uses Two-Factor Authentication for Salesforce and other tools! What’s the difference?   

They are similar, but MFA is the next iteration of security in IT. Where Two-Factor Authentication (2FA) only requires two methods of authentication (typically a password to login and a verification code sent to an inbox or via SMS), MFA always requires two or more factors.

The biggest change that will impact organizations using Salesforce is that on February 1, 2022, the following verification methods will no longer meet Salesforce MFA requirements:

  •   Email Messages
  •   Text Messages (SMS)
  •   Phone Calls

If you are using 2FA you are likely using one of these methods. The most popular is e-mail. If your organization is using SMS or phone calls, you will probably have an easier time adapting to MFA. I’ll cover why later in this post.

These verification methods have become less secure and prone to cyberattacks over the years, and now they are being sunsetted to make way for more secure methods. For many businesses, the most common way to login to Salesforce will now be through the free Salesforce Authenticator App.

The app, which is compatible with iOS and Android devices, generates Time-Based One-time Passcodes (TOTP) to accompany traditional passwords. You may be familiar with the concept already, as TOTP apps have been on the market for years.  For instance, if you are a gamer you may have used Blizzard’s authenticator app. If you like cryptocurrency you may have used Authy or Google Authenticator to login to an online exchange. They all serve the same purpose: extra security by relying on encrypted TOTP codes to secure user logins.

Typically, across these types of apps, TOTP passcodes are generated once every thirty to sixty seconds and are inputted after a user’s normal password or by approving with a tap on their mobile device. This meets the requirements for three factors of authentication:

  1. User must know their password
  2. User must have physical possession of their phone
  3. User must be able to unlock the phone

With Lightning Login correctly set up, users can even swap step 1 — user must know their password — for biometric data by utilizing their fingerprint instead. The future is here, indeed! If you are already basing your 2FA on SMS and phone calls, it’s likely a little simpler to set up MFA as typically these are coming to mobile devices,  but not always for our Voice Over Internet Protocol (VOIP) friends.

Ok, is there anything else I can do other than installing an app on a phone?

Definitely. Many different software vendors offer services that can verify TOTP codes in a browser extension or desktop app. Double-check with your vendor and Salesforce Account Representative to ensure that the option will work for your business before proceeding. Most vendors offer at least a 14-day trial for testing, and I recommend you take full advantage of it.  (Seriously, test it with every department in your company because it will be a big change.)

You can also implement Single-Sign-On (SSO). Ever logged into a website through Google or Facebook? That’s an example of SSO. You just need to ensure whoever implements your SSO ensures that the SSO’s provider has MFA standards that are aligned with Salesforce’s. If you are looking at this option, you may already have an IT department or consultant capable of implementation. If you don’t have the resources to implement SSO, then mobile authenticators or a third-party software vendor that can verify those TOTPs in a browser may be a better option.

MFA: The Tough Impact on Your Small-Medium Business or Organization

Here’s where the rubber meets the road. Security is important, and businesses across the world have made huge efforts to lock down their data over the past decade. It should be noted that most organizations who have made measurable strides in this area also tend to have the budget and resources to do so. That said, it doesn’t matter if you have ten licenses or a thousand – MFA is the new Salesforce standard. 

Here are the specific challenges businesses face with implementation of Salesforce MFA: 

  •  Although this blog is focused on Small and Midsize Businesses (SMBs) and comparably sized organizations, it’s not uncommon to see businesses of all sizes sharing licenses. With 2FA, individuals often share inboxes to get validation codes for other users (for instance, when someone goes on vacation). This is a little tougher with an authentication app.   
  •  Hardware provisioning complications. If your company does not provide its staff with phones, how can you install the Salesforce Authenticator or any other TOTP based app? 
  • Those who don’t want to use phone-based-authentication but also don’t have anyone on-hand who can implement MFA-compliant SSO or vet a vendor who can pass TOTP through a browser or desktop app may find this tough as well.  

The Solution: Set and Invest Your Own Security Roadmap

 Before I wrap up, I have an anecdote: At one point in my career, I was asked to store sensitive information in a database that I had oversight on but I was intimidated by the level of Personally Identifiable Information (PII) the new data contained.  That said, storing this information was of deep importance to the organizational work I was doing as it was for an urgently needed medical outreach program in a region the organization serviced.

I spoke to a peer who had been through a situation similar to mine, and they shared good advice: “Sounds like this is a good time to get your IT security in order, and it sounds like you should have done it earlier. Do it now.”  

The answer to every problem above is this: you need to allocate additional resources to get the right solution for your business implemented.

Sometimes, the events that we didn’t expect or are hesitant to take on are the motivation that makes us change and grow to be stronger as organizations, as friends, and as people. I know — a little cheesy — but I do believe that Salesforce moving all organizations to MFA presents a better time than ever to look at your IT security holistically.  Breaking down your roadmap, ask yourself two big questions:

1) What authentication factors do you plan to use?

2) What tools allow me to deploy those authentication factors for my company?

Ex: Should we use a mobile authenticator app, should we implement SSO, or maybe even physical security keys? (My answer is yes on physical security keys because who doesn’t want to feel like a secret agent?)

 If you can answer #1 and #2 for Salesforce, and realistically for every security-based system in your company, you will be streets ahead of your peers. And, most importantly – your customers and clients will have good reason to trust you with their data.

What questions do you still have about MFA and Salesforce security? Let me know in the Salesforce Trailblazer Community.