Everything you need to know to get ready for Salesforce’s new MFA enablement.
According to Salesforce, MFA is going to take effect on February 1, 2022. It will be required for all single-sign-on SSO logins and logins through user interface and you can turn it on directly in your Salesforce products or use your SSO provider’s MFA service.
You can find a list of products supported here.
Salesforce has a nice MFA assistant available in the setup and step by step instructions on your mobile device when you activate MFA.
Create a permission set for MFA (with a nice API name if possible if you like your developers) and search in the permission set settings in search box field multi-factor and choose Authentication for User Interface Logins permission from the lookup preview window of the search box.
There are multiple MFA related permissions but the one we are looking for is the User Interface Logins one.
Like a regular permission set assignment, assign it to the users who will require MFA to login through UI.
After you enable MFA, users will get a screen prompt when they try to login after the first time. You can select a verification method and with Salesforce Authenticator you can set up trusted locations to automatically approve your login requests (if you have location services enabled).
For Salesforce Authenticator, you can enter the two-word phrase that the app generates to add it as a verification method. To add an account, open the Salesforce Authenticator app in your mobile device, Add an Account to generate the two-word phrase keywords.
When a user logs in, they get a push notification on their mobile device. The user taps the notification to open Salesforce Authenticator and sees the following information:
• The action that needs to be approved
• Which user is requesting the action
• Which service is requesting the action
• What device the user is using
• The location from which the request is coming
You cannot use SMS (Text), phone call and email as alternative verification methods for MFA. As alternatives, you can also use Third-Party authenticator apps and devices (Google Authenticator etc.) and security keys (Google’s Titan Security Key etc.)
Salesforce doesn't require MFA for the following on-premises products:
Cybersecurity is becoming very important everyday and there are many threats that can affect users. It’s important to protect your business and customers according to the industry standards. MFA creates an extra layer of protection against threats like phishing attacks, credential stuffing and account takeovers. MFA is one of the easiest and effective ways to secure your accounts for free.
The reason why it’s called two factor is there is one layer which is the login credentials and the other factor is the verification methods that user has whether it’s by an app or a physical security key.
One tip for admins that might come in handy is that you can also create reports and dashboards to monitor MFA usage across your org.
You can also use Lightning Login to satisfy the MFA requirement. This feature offers password-free access to Salesforce accounts. Lightning Login meets the MFA standard by requiring two authentication factors: Salesforce Authenticator (something a user has) and a PIN or biometric scan on their mobile device (something the user is).
You can also enable MFA using security level, either standard or high assurance assigned to a login method in your Salesforce session settings.
You configured Facebook and LinkedIn as authentication providers in your site. Many of your site members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring customers to use MFA when they log in with their Facebook account. You want users who log in with their LinkedIn account to be automatically granted high assurance access and bypass MFA.
In the Customer Community User profile, set the session security level required at login to High Assurance. In your session settings, edit the session security levels.
Because you’re requiring MFA with Facebook accounts, make sure that Facebook is in the Standard column. Add Multi-Factor Authentication to the High Assurance column. When users log in with their Facebook account, they’re required to provide a verification method in addition to their username and password. Add LinkedIn to the High Assurance column. When users log in with their LinkedIn account, they’re granted High Assurance access without needing to provide a verification method.
From what I have found, the scratch orgs are not supported, although enabling MFA on DevHubs could be necessary.
There might be additional configuration requirements if you are already using MFA from your SSO provider. There should be additional considerations for API users and some issues reported with using MFA with Salesforce plugin for outlook Be sure to check out the trailblazer community for more updates on this.
How Blue Canvas enables feature branches with our Virtual Packaging concept.
How Blue Canvas helped Catalyst unlock the potential of DevOps for 20 BAs and 10 developers in under a week.