Per Salesforce announcement, all Salesforce customers are contractually obligated to use MFA for direct and SSO logins to Salesforce products starting on February 1, 2022.
What is MFA?
Multi-factor authentication (MFA) adds an extra layer of protection against threats like phishing attacks. MFA adds an identity verification step to the login process in addition to entering your Username and Password. Learn more about MFA here.
But what does “MFA” really mean?
Multi-Factor Authentication means you will need more than one “factor” each time you log into Salesforce. A “factor” is a way Salesforce knows it’s you – so your password is one factor. A second factor is a unique code that only you have access to (through your email or mobile phone or 3rd party app). So once MFA is enabled for your organization, you will need to enter your password and ANOTHER “identifying factor” to get in.
Why implement MFA?
First, because you are contractually obligated to comply starting on February 1, 2022. But there are benefits, including keeping your data more secure. Usernames and passwords alone don’t provide sufficient safeguards against unauthorized account access.
How will internal (staff) users be affected?
Once you have activated MFA (as described below), staff will simply need to download the Salesforce Authenticator app on their phone to enroll. Or you can use an existing third-party authenticator, such as Google Authenticator, Microsoft Azure or even a physical Yubikey. (Learn more in the Which verification methods satisfy the MFA requirement? section here)
How will portal users be affected?
They won’t be. MFA only applies for internal Salesforce users.
What are the other implications of implementing MFA?
- Each user must have their own individual login for Salesforce.
- You will need to test out each third party application that requires an OAUTH login to Salesforce to see how MFA will impact it – for example: DocuSign, Outlook, Gmail etc.
How do I activate MFA?
Follow these three simple steps, view the video here, or contact your Sputnik Moment consultant for assistance.
We recommend you follow these steps three times: first, for your own user. Second, for a couple of power users. And third, for all other internal users (once you and the power users have tested it out).
- STEP 1: Create a new permission set, then click on SYSTEM PERMISSIONS, click EDIT and check the box for “Multi-Factor Authentication for User Interface Logins” and click SAVE. Then assign this to the relevant user(s).
- STEP 2: Choose your authentication method from the following options:
- Salesforce provides a free phone app called the Salesforce Authenticator – download it from the Apple Store or Google Play.
- Use a third-party authenticator, like Microsoft authenticator or Google Authenticator or even a physical YubiKey. (HINT: If you are already using an authenticator app for other products, you can choose this option.)
- STEP 3: Log in to Salesforce and walk through the instructions on-screen to link your authenticator app to your Salesforce login.
- If you are using Salesforce Authenticator:
- It will ask you to open the app, enter the two-word phrase generated by the app, and click CONNECT.
- Whenever you log in afterwards, simply click the button in the app to verify your login.
- If you are using Salesforce Authenticator:
- If you are using a third-party authenticator:
- Click the link on the screen to “Choose Another Verification Method” and select the radio button to “Use verification codes from an authenticator app” and click CONTINUE.
- Open the app on your phone
- Click to ADD a new login
- Scan the QR code generated on-screen. When your authenticator populates the verification code, type it into the box and click CONNECT.
- Whenever you log in afterwards, you must type in the code generated by the authentication app on your phone.
- Click the link on the screen to “Choose Another Verification Method” and select the radio button to “Use verification codes from an authenticator app” and click CONTINUE.
What if I can’t use my personal mobile phone?
There are other third-party authentication apps that are web-based, which you may already be using, such as LastPass and Authy. Check with your IT team first.
What if I don’t do anything?
Salesforce is giving organizations time to prepare for this change. February 1, 2022 is the date you are contractually obligated to enable MFA, but you still have time to test it out and prepare your users. Salesforce will permanently enable MFA by Summer 2023 (with no option to disable it).
What does it mean when Salesforce says we will be “in violation of our contract” if we don’t enable MFA by Feb 2022?
You can find the full terms of your Salesforce contract here, but essentially it means that you are doing something you are not technically allowed to do. When you signed up for your Salesforce instance, you agreed to the terms of the agreement, and by continuing to use Salesforce agree to be bound by the terms of the agreement. However, another example of a contract violation that may be commonplace is two employees sharing one username and password.
I still have questions. What do I do?
Contact your Sputnik Moment consultant if you have any questions or want to walk through the process together. You can also read through the detailed instruction guide here.