How to set up Multi-Factor Authentication for Salesforce

 


Salesforce MFA Requirement

In order to implement stronger security measures, Salesforce has announced a requirement for all customers to enable Multi Factor Authentication or MFA by 1st Feb 2022. As per Salesforce, MFA is one of the easiest, most effective tools for enhancing login security, and safeguarding your business and data against security threats.
MFA adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they are who they say they are. One factor is what the user knows, such as their username and password combination. Additonal factors are verification methods that the user has in their possession, such as an authenticator app that generated a One Time PIN (OTP).

In this blog and attached video, I will take you through details of the MFA requirement and the steps to enable MFA for your org using Time based One Time Passwords.

Key Points

Beginning February 1, 2022, all Salesforce customers are contractually required to use MFA in order to access Salesforce products.

To help customers meet the requirement, Salesforce will begin automatically enabling MFA for users who log in directly to Salesforce products. Admins will still have the option to disable MFA if their users aren't ready yet. 

After the requirement deadline, Salesforce will gradually start enforcing MFA by making it a permanent part of the direct login process and removing controls for admins to disable it. 

Users who access Salesforce products through SSO  won’t be affected by auto-enablement and enforcement actions. But remember that MFA is contractually required for all Salesforce users who authenticate via SSO. This means if you are using Azure AD to implement SSO, you must enable and enforce MFA at Azure AD level for user authentication.

Salesforce are working to finalize the Auto-enablement and enforcement dates and these will vary by product. For most products these dates are ranging between May and June 2022

Verification Methods

Salesforce Authenticator 

A smart and simple mobile app that users can easily connect to their Salesforce accounts. It delivers push notifications to users’ phones for fast access and can automate authentication from trusted locations. Generates TOTP codes if connectivity isn’t available.

Third-Party Authenticator Apps 

Apps generate unique, temporary verification codes based on the OAUTH TOTP algorithm. Apps for multiple OS are available. There is a wide variety of apps to choose from. Connectivity is not required.

Security Keys 

Physical devices that use public-key cryptography. USB or Lightning connector devices. Fast and easy to use. Issues faced are - Keys can be lost, unattended or kept plugged in all the time. It is a physical device with logistics involved.

Built in authenticators

Verify identity with fingerprint, iris or facial recognition. Some examples are Windows Hello, Touch ID or Face ID.

How to setup MFA for Salesforce

To setup MFA, go to Setup -> type Permission Sets in Quick find box -> Create ‘New’ Permission Set


Enter values in the Label and Description fields. Leave the licenses as None. If you want to enable MFA only for certain license like Salesforce, you can set it accordingly. I prefer to apply it for all licenses.



Next go to System Permissions and click Edit. Scroll down to Multi Factor Authentication User Interface Login and Save the change



Next step is to assign the permission to users. Click Manage Assignments then Add Assignments. Select the users for whom the MFA is to be enabled and click assign.


User Experience Changes

The login process for the user will change after MFA is enabled.

The first time the user logs in after MFA is enabled, they will be prompted to register a verification method. This verification method will be used every time the user logs in after this. 

Salesforce Authenticator is the default method and there is an option to Choose Another Verification method as well. We saw the various options in a previous slide.

Salesforce Authenticator or Third Party apps will require users to download the app from Google Play or App store if they are not already installed on their phones.

If you are using Salesforce Authenticator, you will open the app and click on Add an Account. The app generates a unique 2 word phrase. The user enters this phrase in Salesforce and clicks connect. This finishes the setup for the user.

Next time the user logs in with their username and password, they will additionally see an authentication request on their mobile that they need to approve in order to log in.

A third party app will work based on Time Based OneTime Password being generated in the app and entered in Salesforce. User can add Salesforce to the 3rd party app by scanning the QR code that is generated by Salesforce while registering for MFA.

Change Management

MFA can be a big change for your users. Plan for and follow Change Management practices to introduce MFA in your organisation.

The impact and the selection of the verification method will vary based on whether your company already requires MFA for other applications. In which case, users would already be used to providing an additional factor of authentication and be familiar with MFA requirements. If this is something totally new for your users, it will require more intensive communication and training plans to be prepared.

In any case, you will need to Communicate about the upcoming changes to users. Explain the rationale for this additional step being required by Salesforce. 

Plan for training and hand holding of users for the MFA registration and verification process. Identify the champions across departments who can help users in each department.

Depending on the number of users impacted and the size of your support team, plan the launch in phases. Prepare for go live issues and troubleshooting. Update your Knowledge base in your ticketing system and company intranet.

Finally Keep monitoring the adoption reports and user logins to check for any anomalies after introduction of MFA.





Comments

Post a Comment

Popular posts from this blog

Salesforce Trailhead - Billing Specialist - Momma Bear

Finally meeting the Momma Bear - Challenge # 15 - It has been known to hold trailblazers in a bear hug for months on end, breaking bones and crushing spirits. If you get stuck, you will likely have to delete your orders. This will take some doing. Disable triggers in the managed package. Deactivate your process created in earlier steps. Take the quote back to Draft, remove Ordered, Contracted tick on the respective checkboxes. Remove the quote number from the order. Delete Quote Lines from the quote and you should have a virgin Q-00015 available. To avoid getting into this bear trap, examine your order very carefully before activating it. Make sure the error in the Tax Calculation is addressed. Legal Entity has to be added manually so as to get rid of the error in tax. I am sure you would need to delete the order and quote lines multiple times. To delete the order, remove the Quote reference in the order, remove provisioning date, contracted checkbox to be unchecked and any cont...
Read more

Salesforce Trailhead - Lightning Experience Reports & Dashboards Specialist - Build Sales Reports

This blog describes the experience of the Superbadge with some details of problems faced. As per rules, no solution steps can be discussed on this blog and its comments. Challenge 3 - Sales Reports A stumble at the start of the trail itself. The setup and cleanup is pretty simple to complete. Let me know if you get stuck on those steps. It is the sales report that caught me out - Accounts without SolarBot Opportunities.  First of all, check if your Accounts list contains this "Sample Account for Entitlements". That needs to be deleted. This help article from Salesforce will show you the steps -  How to Delete the "Sample Account for Entitlements" Account (salesforce.com) Even after following all the correct steps for this report, if it keeps getting stuck on the error -  Error message:  The 'Accounts Without SolarBot Opportunities' report doesn't include the correct collection of accounts. If you are confident you have the correct list of accounts appear...
Read more

Salesforce Trailhead - Billing Specialist super badge - The Invisible Bear

Having already attempted the Process Automation Specialist super badge, I knew that a super badge on the Salesforce Trailhead is not something that one attempts lightly. One does not come out of the experience the same person as ventured in. It is an oft frustrating, head-banging experience as you are out of the familiar arena of trailhead projects, challenges and quizzes. This is where you leave the safety net and step into the near real-world scenario and use cases. With simulated real-world users giving you requirements in non-salesforce lingo. So, attempting the Billing Specialist super badge at the end of my first two weeks on Trailhead, I knew I was up against a biggie. I was pretty convinced to follow every step and pre-step instruction given to me.  I found this discussion forum to be super useful in attempting this SuperBadge. The very first step is to sign up for the  free  Developer Edition org with Salesforce Billing and Salesforce CPQ . I se...
Read more