How to Implement Salesforce Multi-Factor Authentication using the Salesforce Authenticator
In the modern world, malicious online activity and user credential theft are growing more widespread. Thus, safeguarding your users’ access and details is a major priority in order to secure both your company and customer data.
MFA (Multi-Factor Authentication) is a more secure authentication solution that prevents unwanted access to your data even if your credentials (username/password) have been hacked.
Salesforce will automatically enable MFA to access Salesforce products from February, 2023.
How does MFA work?
MFA can prevent some of the most common types of attacks.
Using usernames and passwords alone does not provide sufficient protection, because it’s easy for bad actors to exploit weak or reused passwords.
MFA ties user access to multiple, different types of authentication factors, making it much harder for common threats like phishing attacks or credential stuffing to succeed — which ultimately makes your Salesforce environment safer from unauthorized access by bad actors.
For example, even if a user’s password is stolen, the odds are very low that an attacker will also be able to guess or hack the code from a user’s authentication app.
As security threats grow increasingly common, protecting account access is more and more important. As a result, Salesforce is doubling down to help customers adapt to a new reality, and to do it while maintaining secure control over their systems and data.
Enabling MFA for Salesforce
When MFA is enabled for Salesforce products, users must employ a strong verification method as their second factor for logging in. Strong verification methods initiate a secure exchange with Salesforce and can only be completed by the user who possesses the method.
Salesforce offers simple, innovative MFA solutions that provide a balance between strong security and user convenience. Depending on the Salesforce product, these strong verification methods are available:
- Salesforce Authenticator mobile app
- Available for all Salesforce products
- Third-party time-based one-time password (TOTP) Authenticator apps such as Google Authenticator, Microsoft Authenticator, or Authy
- Available for all Salesforce products
- WebAuthn or U2F physical security keys (using USB, Lightning, or NFC), such as a Yubikey or Google’s Titan Security key
- Available for all Salesforce products, with the exception of Tableau Online
- Built-in authenticators: Biometric systems, such as Touch ID, Face ID, and Windows Hello, which verify a user’s identity using a device’s fingerprint, iris, or facial recognition scanners. Some systems also allow the use of a PIN or password identifier.
- Available for Heroku, Marketing Cloud-Datorama, MuleSoft Anypoint Platform — and as of the Winter ‘22 release, for products built on the Salesforce Platform (as a Beta service)
Products built on the Salesforce Platform: WebAuthn-compatible security keys, and keys that use the NFC form factor, aren’t supported.
WebAuthn-compatible security keys aren’t supported in non-Chromium versions of the Edge browser.
Salesforce doesn’t allow email, SMS text messages, phone calls, or security questions as verification methods for MFA because email credentials can be compromised, and text messages and phone calls can be intercepted.
It’s a lot harder for bad actors to get control of an actual mobile device or physical security key than it is to infiltrate an email account or hack a cell phone number.
If you’re supporting an authenticator app like Salesforce Authenticator, users must download and install the app. If you opt to deploy security keys, you need to purchase and distribute keys to your users.
The registration process is automatically initiated the first time a user tries to log in after they’ve been enabled for MFA. The process walks the user through connecting their verification method to their Salesforce account.
Each time an MFA-enabled user logs in, they’re prompted to provide their verification method after they enter their username and password.
The Salesforce Authenticator mobile app is a strong verification method that users can easily install and connect to their Salesforce accounts. The app is free and simple to use, minimizing the impact of MFA on the user experience.
Salesforce Authenticator makes the extra authentication step required by MFA easy because it automatically integrates into your current Salesforce login process. After a user enters their username and password, the app sends a notification to their mobile device.
The user taps the notification to open Salesforce Authenticator, verifies the login request is coming from them, and then they’re logged in.
Salesforce Authenticator allows users to automate the extra MFA authentication step when working from a trusted location.
Salesforce highly recommends that users set up a PIN or biometric requirement on their mobile device to ensure that unauthorized parties aren’t able to access Salesforce Authenticator.
Salesforce Authenticator is available for all Salesforce products that have MFA functionality.
Salesforce Authenticator: Set-Up Guide
To register Salesforce Authenticator the first time you log in after MFA is turned on, follow these onscreen instructions:
On your computer, log in to your account. You may be prompted to verify your identity with a one-time passcode via email or text message.
The screen to register Salesforce Authenticator displays automatically.
On your mobile device, open Salesforce Authenticator and tap Add an Account.
The app displays a two-word phrase.
On your computer, enter the phrase in the Two-Word Phrase field. Then click Connect.
Salesforce Authenticator is connected to your Salesforce account. You’re prompted to confirm the connection details in the app.
In Salesforce Authenticator, verify that the connection details are correct, then tap Connect.
And that’s it! You’ve successfully connected Salesforce Authenticator to your account.
And on your screen, a success message (green tick icon) should display as you finish logging in.
If you want to speak to us about Multi-Factor Authentication or would like some assistance with your MFA rollout, we are more than happy to help you.
Please reach out to us directly at firstname.lastname@example.org if you have any queries, or fill out the form below and we’ll respond to you as soon as we can.