The security of information is very important for any organization. And as we know that Salesforce is the world’s most popular CRM platform, hence it requires more security for its customers and developers. The Multi-Factor Authentication or MFA is one of the easiest and effective methods to implement strong security measures to protect your business as well as customers. To provide a more secure environment to its users, Salesforce has a new feature of Multi-Factor Authentication or MFA. The MFA or Multi-Factor Authentication (MFA) or Two-Factor Authentication is the best way to secure access to Salesforce accounts. As an Admin, you can secure your user’s identity through the implementation of Multi-Factor Authentication or MFA or Two-Factor Authentication. The Multi-Factor Authentication or MFA is available for both Salesforce classic as well as Salesforce Lightning Experience. Multi-Factor Authentication (MFA) is also referred to as Two-Factor Authentication or 2FA. In This Article What is Multi-Factor Authentication (MFA)/ Two-Factor Authentication in Salesforce, we will discuss various types of security features provided by Salesforce and how Multi-Factor Authentication MFA works, or how a Salesforce Authenticator helps to secure access the Salesforce.
Salesforce provides two types of essential user authentication and these are as follows:
- Service-based authentication
- Policy-based authentication
Service-based authentication is also called device activation. It is automatically enabled for all orgs. In this method, the user needs to provide a specific verification method to access the Salesforce account and also prevent an unrecognized browser or application.
This authentication method is enabled by the Admin of the org. This is handled by the Admin to protect the user’s accounts.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) adds an extra layer of protection to prevent unauthorized account access, threats such as credential stuffing, phishing, and safeguard your Salesforce data. When MFA enabled, you need to provide some evidence as to your identity while login to your Salesforce account.
MFA is one of the easiest and effective method o implement strong security measures to protect your business as well as customers. Sometimes, user name and password may be stolen or easy to guess; hence MFA includes an extra layer of protection against unauthorized access to your Salesforce account. MFA is available free for all Salesforce users.
How MFA works?
A Multi-Factor Authentication contains two factors for the authentication purpose and these factors are as follows.
- The first factor (something you know) is the combination of your account’s user name and password.
- The second factor (something you don’t know) may be an authenticator app or security key.
When MFA enabled for your account, then first you need to provide your user name and password then verify it with an authenticator app or security key. This authenticator app can be downloaded from Google play at no extra cost.
In simple words, we can say that to access your Salesforce account you must have your user name and password as well as an authentication app or security key. This means, whenever your password is stolen through hackers or attackers then there is no chance to guess or impersonate both factors simultaneously that a user physically possesses.
Which Salesforce products support MFA?
Salesforce provides the easiest and strong security features to its users and customers against unauthorized account access. Salesforce provides different types of verification methods depends on your business requirements and users’ need such as mobile apps and hardware devices, etc.
MFA supports below mentioned Salesforce products till now and hopefully, it will support all Salesforce products by mid of 2021.
- Products built on Salesforce platform such as Sales cloud, service cloud, Analytic cloud, B2C commerce, Experience cloud, Marketing cloud- Audience Studio, Marketing cloud- Pardot, Salesforce field service, Salesforce Essentials, Platform, etc.
- Marketing cloud such as Email Studio, Mobile Studio, and Journey Builder, and Journey Builder.
- B2C commerce cloud.
- Marketing cloud- Datorama.
While MFA implemented for an account, Salesforce provides some tools and resources to manage these MFA implementations such as reports and dashboards for monitoring usage and temporary verification codes when users forgot their verification method to access their account.
What are MFA verification methods in Salesforce?
Salesforce provides various verification methods depending on your Salesforce product and you can choose any verification method such as Salesforce Authenticator App, Third-Party TOTP Authenticator App, U2F, or WebAuthn Security Key. While MFA enabled to an account, it will redirect you to provide any verification method after entering their user name and password in the login process.
Salesforce Authentication App: This is the fast and free authentication method provided by Salesforce.
Third-Party TOTP Authenticator App: These are the third-party authenticator sources such as Google Authenticator and Microsoft Authenticator, etc.
U2F or WebAuthn Security Key: This is a Universal Second Factor security key that a user needs to insert into the appropriate port on their computer or mobile devices to complete the login verification.
Note: Salesforce does not allow Email, SMS, and phone calls as their MFA verification methods.
Salesforce Authenticator App:
Salesforce Authenticator is a fast, free, and frictionless mobile app that is used as an MFA verification method. You can easily install this app from Google Play and link it with your Salesforce account.
How does Salesforce Authenticator work?
When a user login their Salesforce account with their user name and password, then it will prompt a push notification on their mobile devices. While the user taps on that push notification tab, it will redirect to the Salesforce Authenticator app with the following details such as:
- The Action for which Authentication done
- The user who is requesting for Authentication
- The Service which is requesting the Action
- User’s device information
- Request source location (Location from where the request is generating)
Based on the above information a user can easily approve or disapprove the request.
Further, If you don’t have your mobile device then you can log in with a six digits TOTP code generated by Salesforce Authenticator.
Note: All Salesforce products support the Salesforce Authenticator as their verification method.
How to disable Salesforce Authenticator from the user’s account?
Salesforce allows only one account to connect Salesforce Authenticator App at a time hence no other user can register with the same Salesforce Authenticator at the same time. Sometimes, you may lose your device still you can log in to your Salesforce account. In such scenarios, you need to disable the Salesforce Authenticator app from the user’s account. Salesforce sent a notification during the login process regarding registering a new verification method because MFA permission is still enabled in the user’s profile.
Salesforce administrator also needs to disconnect the multi-factor authentication permission from the user’s profile by disabling Manage Multi-Factor Authentication in User Interface. There are some steps to follow so that as an administrator you can disconnect the Salesforce authenticator app from the user’s account or link to another device.
- Login to your Salesforce account
- Click the Setup button on the top right corner of your screen.
- Enter Users in the quick search box and select users from the dropdown list.
- Select the user name for which you want to disconnect the Salesforce authenticator app.
- On the user detail page, go to filed App Registration: Salesforce Authenticator
- Click Disconnect next to this field.
Third-Party Authenticator App (TOTP):
All Salesforce products support third-party Authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy, etc. These apps generate a temporary OTP code (TOTP). This TOTP is working on the OATH time-based one-time password (TOTP) algorithm.
How Third-Party Authenticator App (TOTP) works?
When a user login into their Salesforce account using this method, a code will be generated from this authenticator app. Users need to enter this TOTP into the login window during Sign in. This TOTP authentication app generates a temporary code with the current time as a secret key. This code will be valid for only 30 seconds. If the user is unable to login with 30 seconds then a new TOTP code will automatically be generated by the authenticator app.
This app generates code even if you don’t have internet connectivity in your mobile device. If you already have any TOTP authentication app on your device, you can configure it for your Salesforce account as a verification method.
How to disconnect the Third-Party Authenticator app or TOTP from the user’s Salesforce account?
Similar to the Salesforce Authenticator app, Salesforce allows only a single user account to link with a Third-Party Authenticator app or Time-Based One Time Password (TOTP) authenticator app at a time. In this same scenario when a user loses their mobile device or access from the app, you need to disconnect the app from the user’s Salesforce account. While a user account is disconnected from the TOTP authenticator app, Salesforce prompts the user regarding register the new verification method.
As an Admin, you need to disconnect this TOTP authentication app from the user’s profile (Manage Multi-Factor Authentication in User Interface).
There are few simple steps to disconnect the TOTP authenticator app from the user’s account as follows:
- Login Salesforce account.
- Click Setup at the top right corner of your screen.
- Enter Users in Quick find box at the sidebar of your screen and then users from the dropdown list.
- Select the user’s name for which you need to disconnect access.
- On the user’s detail page, find App Registration: One-Time Password Authenticator field.
- Click Disconnect next to this field.
Sometimes it may possible, you don’t have your mobile device or no any mobile device is permitted on your work premises. Then this security key is the best option for your login verification method.
Security keys are small portable devices that do not need any installation and coding while using the verification method. Also, it makes Multi-factor Authentication very fast and easy as you need to connect this key to your computer device and press the key button to identify yourself.
How does Security Key work in MFA?
Salesforce supports the security key with the following standards:
- FIDO U2F (created by Google and Yubico and supports from NXP)
- FIDO2 WebAuthn
These both are open authentication standards that help you to securely access all online services only with a single security key and also without any installation and coding. These both are strong public-key cryptography that protects the user from any unauthorized attack and access of your account on the internet.
Important considerations while using Security Key:
- It requires browser support.
- This key can be plugged at all-time into the device.
- It requires extra operational costs for purchasing and distributing to the users.
Security Key options: Yubico’s, Yubikey, and Google Titan Security key.
How to enable MFA or Two-Factor authentication in Salesforce?
As we have already discussed, MFA adds an extra step in the login process of the Salesforce account. To enable MFA in your account is very easy and fast. There are some steps to implement MFA are as follows:
- Login to your Salesforce account with your user name and password.
- Create a permission set first- A permission set enables a user to provide the second factor of authentication such as the Authentication app, Third-Party authentication app, and security key.
- Go to Setup and enter the permission in the quick search box.
- Select permission sets.
- Create a permission set by clicking New and then clicks save.
How to create a new permission set for MFA in Salesforce?
Enter below-mentioned entries such as Label, API, and Description in the required option as below:
- Label: Multi-Factor Authentication Required
- API Name: Multi_Factor Authentication_Required
- Description: Requires MFA when user login to Salesforce
However, you can directly choose it from the License button given below your window and then click the save button.
To locate the MFA for user-interface login permission go to the Find setting box and enter multi-factor authentication for user interface login and click the Edit button at the top of the screen.
Select the MFA permission by scrolling down and then click the save button.
A pop-up window will be appearing regarding the permission changes confirmation. Click the save button.
How to assign the permission set to the user?
After creating the permission set, you need to assign it to your users. There are a few steps to assign permission sets to the users.
- Click on the “Manage Assignment” tab.
- Click” Add Assignment” and select the users from the list and then click “Done”.
- The users who assigned permission sets are now enabled to login with the Multi-Factor Authentication.
When a user (who is assigned) login for the first time after enabling MFA, then they will prompt to register a verification method. This will be the second factor of authentication each time when they will log in to their account.