What is MFA and Why is it Important?

As the digital security landscape evolves, and the threats that compromise user credentials grow more common, it’s important to implement strong security measures to protect your business and your customers. Multi-factor authentication (MFA) is one of the easiest, most effective ways to help prevent unauthorized account access and safeguard your Salesforce data. Usernames and passwords alone don’t provide sufficient safeguards against unauthorized account access. Multi-factor authentication (MFA) adds an extra layer of protection against threats like phishing attacks, credential stuffing, and account takeovers. As an added bonus, MFA from Salesforce is provided at no extra cost!

To learn more, check out this video: How Multi-Factor Authentication Works to Protect Account Access

How Multi-Factor Authentication Works

MFA requires users to prove they are who they say they are by providing two or more pieces of evidence (factors) when they go to log in. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has (such as an authenticator app or security key) or that the user is (such as biometrics). By tying user access to multiple, different types of factors, it’s much more difficult for a cyber-villain to gain entry to your Salesforce environment. Even if a user’s password is stolen, the odds are incredibly low that an attacker can guess or impersonate another, a secondary factor that the user physically possesses.

What is Changing with Salesforce, And how does it Affect Us?

  • Beginning February 1, 2022, Salesforce will start encouraging customers to begin using MFA in order to access Salesforce products. Users will not be blocked from logging in on February 1, 2022.
  • You’ll get 6+ months’ notice before MFA is enforced for direct logins.
  • Being out of compliance means your Salesforce environments are less secure and Salesforce is legally not liable for any lost data if you do not have MFA enabled.
  • Once MFA is enabled (for individual users or a group of users), all internal users who log in to Salesforce products (including partner solutions) through the user interface will be using MFA for every login.
  • To ensure that MFA is required for all your Salesforce users, you can turn it on directly in your Salesforce products or use your SSO provider’s MFA service. Salesforce products include MFA functionality at no extra cost.
  • If you have a mix of SSO and non-SSO users, you can use a combination of these options. For example, you can use your SSO provider’s MFA service for most of your Salesforce users, but enable MFA directly in Salesforce for admins who don’t use SSO. They’re not locking you into any one kind of MFA, and you’re better able to find what works best for you and your team.

MFA Verification Methods for Salesforce:

  • Salesforce Authenticator App
  • Third-Party Authenticator Apps
  • Security Keys
  • Built-In Authenticators

What can we do from here?

The SalesLabX Recommended path to MFA

  • Decide if you’re going to roll MFA out to everyone at the same time, or if you’ll go live in phases to smaller groups over time.
    • If you do a phased rollout, admins and other privileged users are going to be your top priority.
    • ➤ TIP: We recommend starting out with a pilot group to test the rollout process and fine-tune things.
  • We recommend that you use the two free options for MFA, which are Salesforce Authenticator App or the Third-Party Authenticator App. Keeping it simple makes for easy rollout.
  • If you decide to use the Salesforce Authenticator App, the SalesLabX team can help you set up the user permission set and provide instructions/training that you can share with your internal team.
  • If you decide to use a Third-Party Authenticator App, the SalesLabX team can help set the permission set in Salesforce, but the rest of the connectivity will have to be taken care of by your in-house IT team.
  • If you decide to use Security Keys or Built-In Authenticators, the SalesLabX team can help set the permission set in Salesforce, but the rest of the connectivity will have to be done by your in-house IT team.
  • For the SalesLabX’s user permission set in Salesforce, we would prefer to use our own 3rd party authenticator app if applicable with your security compliance guidelines.