Yesterday Salesforce began requiring customers to enable Multi-Factor Authentication (MFA) to use Salesforce products and partner applications, including FinancialForce.
Take a deep breath if you haven’t implemented MFA yet – you won’t be barred from your Salesforce account.
You still have time to enable MFA if your users aren’t ready, but Salesforce will begin enforcing this requirement by automatically enabling the feature so that Salesforce administrators can easily enable this feature for users.
You’re not alone if you’re overwhelmed and inundated with information about this additional level of security to your solutions. On our blog today, we’re answering some questions we’re commonly asked about Salesforce’s MFA requirement and what you can expect in the coming months.
What is MFA?
MFA stands for “multi-factor authentication.” Salesforce explains it best:
MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key.
Salesforce prioritizes trust and takes security seriously. Businesses face a growing number of threats to their data for several reasons, including the globalization of information and increase in remote work. Requiring two or more factors from users improves login security and safeguards against attacks that can compromise the data of your business and customers.
If the concept of MFA is unclear to you, Salesforce’s comparison to your debit card is helpful: “A familiar example of MFA at work is the two factors needed to withdraw money from an ATM. Your ATM card is something that you have and your PIN is something you know.”
When users are required to log in with two pieces of evidence instead of one, the chances of an attacker being able to guess or hack both of them is dramatically lower.
What’s Next?
According to Salesforce, “internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA” as of yesterday, February 1. This means that Salesforce is contractually requiring your company to implement MFA for all its users. You can enable MFA directly in your Salesforce products, and the functionality is available at no cost to you.
If you haven’t enabled MFA, you have some time, but Salesforce will begin automatically enabling MFA for users who log into Salesforce products. (You will receive a minimum of 6 months notice via email before MFA is enforced in your Salesforce products.) Salesforce has a good plan in place for implementing MFA here. If you need assistance with MFA rollouts, our mentors are here to help too!
Salesforce is also very transparent with planned dates for enforced MFA rollout when MFA will be a mandatory requirement for all users. The MFA Enforcement Roadmap here is Salesforce’s public page detailing this process and provides auto-enablement and enforcement dates for each product so you can plan ahead if you haven’t already.
What Verification Methods Are Available?
Maybe you understand the comparison between MFA and your debit card, but you’re wondering what the extra authentication step will be for Salesforce users.
Salesforce has created the Salesforce Authenticator App, a free mobile app that makes logging in with MFA quick and easy. They’re encouraging users to download this app for additional verification. To learn more, you can watch a short video about the app here.
But you can also use a third-party authenticator app, security key, or built-in authenticator.
Salesforce has provided a great guide here for admins if you want to learn more about these verification methods and weigh the pros and cons of each. The guide also details instructions about how to implement MFA and roll it out to your Salesforce users.
It’s okay if you still need to implement MFA for some or all of your Salesforce products and partner applications. To recap, here are some helpful resources we’ve linked throughout the article and others we didn’t:
- Salesforce Multi-Factor Authentication FAQ
- Multi-Factor Authentication Quick Guide for Admins
- How to Use Salesforce Authenticator for MFA Logins (video)
- MFA Enforcement Roadmap
- MFA Requirement: What’s Top of Mind for Salesforce Trailblazers
- How to Roll Out Multi-Factor Authentication
- MFA – Getting Started (Trailhead Group)
We hope this information and the resources provided clarify any confusion about adding MFA to your Salesforce products. If you have any questions, please ask them by commenting below, and one of our mentors will respond!
Our team is always here to help you get the most out of your solutions and ensure they’re secure. Schedule a call today to learn more about how to maximize Salesforce, FinancialForce, and other supporting applications in your business.