It seems like we are hearing more and more about Multi-Factor Authentication (MFA), with many big companies adding extra authentication steps, including Salesforce, who are making MFA a requirement from 1st February 2022. 

So, what exactly does it all mean and why is it so important? 

It is no secret that cyber security threats are increasing; most of you will be aware that the landscape of cyber security is evolving, whether that’s because your IT department has sent out yet another reminder about the dangers of phishing, or you’ve heard one of the many high-profile stories of data breaches, it’s clear that the risk of cyber-attacks is growing. Even a cursory internet search is enough to show you how frequently the number of security breaches are occurring. 

The way we work and use technology has changed, especially over the last 18 months due to the pandemic. Home working on top of increased use of apps and the general change in how much we use online systems comes with greater vulnerability to attacks. 

Arguably one of the easiest targets for cyber attacks is passwords. Password management is a pain for all involved and we are notoriously bad at setting them. We often use common memorable words that are easily guessed, or, at the other end of the scale, lengthy password requirements can lead to re-using the same password across multiple accounts, meaning one breach can lead to a lot of data being compromised. But even the strongest, most difficult to remember passwords can be compromised so here is where MFA comes in. 

So what does MFA mean? 

Firstly, it is important to understand what we mean by ‘factor’. Factors are simply ways to verify the user is who they say they are. If the first factor is your username and password, then multi-factor authentication adds one or more additional verification steps to the login process. To meet the Salesforce requirements, your second factor should be either using an authentication app or a physical authentication key. The idea is that by adding at least one of these extra layers makes it much harder for phishers, scammers and hackers to access your account and it is a really simple way to ensure your data is protected.  

The two factors should be:

  1. something you know (i.e. your password), and;
  2. something only you have access to (i.e. your app or security key). 

Even if your password is compromised, it is unlikely that they will also have access to your app or security key, meaning it becomes that much harder for any unauthorised person to access your account.

Salesforce have a very simple Authenticator app, but you can also meet the requirement by using a third-party authenticator app if your company already use one. 

MFA is quickly becoming an industry standard with many companies implementing similar policies this year, and Salesforce making this a contractual requirement for their products emphasises their commitment to security.

What is the scope of the requirement? 

This requirement is going to apply for anyone who has a standard user license with access to your Salesforce org’s UI, whether this is mobile or desktop, and includes any user authorised to act on your company’s behalf, such as partners and third-party agencies.  

It doesn’t apply to Community, Employee Community, or External Identity license that can only access your company’s Experience Cloud sites, e-commerce sites or storefronts, help portals, or employee communities. 

Additionally, this is for direct logins only; there is no change for automated testing accounts or API/integration users. Nor is it a requirement for scratch orgs or sandboxes (apart from all you B2C Commerce Cloud and Marketing Cloud folk, you will need MFA for any instances used for testing purposes!). 

If you are currently using Single Sign-On (SSO) then you may have to consider updating your settings because SSO alone may not satisfy the requirement. If your SSO relies solely on a username and password, you will still have to enable MFA. There is flexibility for this to be enabled either via Salesforce or via your identity provider, however, it is worth noting that you will still need to meet the requirements mentioned above (i.e. using an authenticator app or security key) as some verification methods such as emails or texts will not suffice.

How should I prepare for rolling out MFA?  

The requirement for MFA goes into effect on 1st February 2022 so it is a good idea to start thinking about this now to be sure your users have plenty of time to prepare for the change.

It is also a good idea to get a roll-out strategy in place as soon as possible, especially if you have a lot of users. Key considerations for your strategy should include:

1. Define your roll-out strategy, e.g. will you be phasing your roll-out or will it be all at once? Do you need to consider a pilot with a small number of users? 

2. Determine your change management strategy. As with any process change, it is good to establish a plan for your comms and training. There are lots of tools online for this and Salesforce have put together a roll-out pack with some handy training materials, which you can find here.

3. Establish a support plan. Whilst this may seem like a relatively straight-forward change, I can hear the groans already from some users when it comes to anything authentication related. So it is a good idea to plan who will be supporting any initial login issues or account lockouts. 

4. Define your implementation plan. You will need to decide exactly what your MFA verification method will be and when you aim to launch it, as well as assessing any dependencies or blockers to your roll-out. 

If you have any concerns or queries about MFA then get in touch. Ribbonfish are here to help ensure your roll-out is a success. 

Vanessa Taylor is Project Manager at Ribbonfish. She gained experience as both a Project Manager and Salesforce user on the client-side before crossing over to consultancy. Vanessa has a passion for improving experiences through technology.

Photo by Glenn Carstens-Peters