With the continued effects of the pandemic and remote working, cyberattacks pose a major and worrisome threat to all organizations. In 2021, Phishing yet again tops the list of internet crimes, having increased by over 11 times over the past 5 years, and doubled since 2020, costing companies on average $14.8m per year.  What is especially concerning is the level of sophistication of attacks – over 30% of Phishing emails are opened by their targets. To combat this increasing threat, Salesforce has put in a requirement for multi-factor authentication (MFA) for all internal users starting February 1, 2022.

What is MFA and what it means to you

Multi-factor authentication (MFA) is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or factors) when they log in. One factor is something the user knows, such as their username and password. Other factors include something the user has, such as an authenticator app or security key. By tying user access to multiple types of factors, MFA makes it much harder for common threats like phishing attacks and account takeovers to succeed. (source)

What does the Salesforce 2/1/22 compliance date mean to you, and should you be concerned? While we are told that Salesforce will not discontinue access to users on this date, they have advised that customers who don’t enable MFA by this date will be deemed out of compliance with their contractual obligations.  Also, if go through Salesforce’s published roadmap , they will first auto-enable MFA for users and then move to enforcement with 6+ months’ notice. When it is auto-enabled, admins will be able to disable MFA, but then will lose the ability to do so after the enforcement date. Given these impending deadlines, it is in your best interest to develop an implementation plan as soon as possible.

How to comply

You can turn on MFA directly in Salesforce through the user interface or satisfy the requirement by using MFA through your Single Sign On (SSO) provider. If you work within Salesforce, there are multiple options available:

1. Salesforce Authenticator mobile app
2. Third-party Authenticator apps such as Google Authenticator, Microsoft Authenticator, or Authy
3. Using physical security keys such as Google’s Titan or Yubikey
4. Use a device’s built-in authenticator such as Touch ID or Windows Hello.

5 Things to Consider when Implementing MFA

Here are a few tips to help make your implementation smooth:

1. Consider which set up makes the most sense for your users and organization as a whole. For a small company, security keys may be a reasonable solution, but for an organization with 300+ users it may become a burden to manage 300 different physical security keys. The same can be said for selecting a digital authentication method, if your organization is currently using Microsoft Authenticator for other tools, it makes the most sense to add Salesforce to your current authenticator setup rather than insisting your users download a new authenticator. It is best to keep the MFA process as streamlined as possible so it does not cause any disruptions to your users once it is activated.
2. Be careful to ensure your user’s MFA setups meet Salesforce’s security requirements. If they do not, your organization will be deemed as out of compliance. You can find exact information on the requirements on the MFA FAQ page or you can check if your current set up meets Salesforce’s requirements on the MFA Requirement Checker.
3. If your entire organization is using SSO, and your SSO provider goes down, everyone will be locked out of your org. Salesforce Admins should always set up a second method of authentication for their users (using one of the options covered above) to allow themselves access to the org in case something like this occurs. An admin can generate one-time codes from within Salesforce that will allow users to access their orgs in cases their SSO provider goes down.
4. If users feel that they have a special case where they cannot implement MFA then they will have to contact Salesforce directly and speak to an account representative to find a solution.
5. Many of our clients use SSO-based logins for some or all of their users. They are required to enable MFA through their SSO provider. However, Salesforce has said they will not act on your behalf to enable MFA for your SSO identity provider. Nor does Salesforce have plans to block access to Salesforce products or trigger MFA challenges if your SSO service doesn’t require MFA. We are told that this policy could change in the future.

Cloud113 is here to help

You don’t have to choose between security and keeping your Salesforce functionality intact. Our experts at Cloud113 can help make your transition to MFA smooth. We are currently offering a free security health check to help you prioritize top areas of concern and develop a plan to address MFA and other areas.

You can schedule your free 30-minute assessment by picking a time here.