February 18, 2022
Salesforce
Security

Salesforce MFA Requirement: The Most Common Questions Answered

Own Company
|
Marketing
No items found.

Editor’s note: This post was updated in February 2023, with the latest information and resources.

The increase in cybercrime — and particularly ransomware attacks — driven by employees accessing corporate databases from any device or location has forced many companies to prioritize login security. That includes Salesforce, who, as of February 1st, 2022, is requiring all of its customers to enable multi-factor authentication (MFA) in order to access its products.

To help customers make the transition to MFA a little easier, we recently held a webinar on MFA requirements,  which includes tips for implementation and adoption. Here are the top questions from that session, along with our answers.

What is MFA, and why is it so important?

MFA is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. One factor is something the user knows, such as their username and password. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key.

This is different from knowledge-based authentication, or KBA, which confirms identity by asking questions like, "what's your mother-in-law's maiden name?” While this is an extra security step, it's also known information that someone could look up on social media.

Because MFA requires dynamic data (a time-based one-time password, a security key, etc.), it’s a much more effective tool for enhancing login security and safeguarding your business and data against security threats.

What’s the difference between authentication and authorization?

While authentication and authorization are both integral to security, there is an important distinction between the two. Authentication is proving you are who you say you are, and that's done through identity. Once you prove who you are, authorization entails what rights, access, and entitlements you have to specific data and functionality. Within Salesforce, authentication is done with your username and password, while authorization is set by things like your profiles, and system permissions.

The reason why authentication is so important is that even if you have a well-designed authorization model, once a bad actor takes over your identity, they then have access to all of the things that your authorization applied to.

What MFA methods are available?

The four main methods are SMS, an authenticator app, security keys, and built in authenticators. Of the four, SMS is the most frequently used additional factor because almost everybody has it, and it’s relatively easy to manage. However, it’s also the least secure. Attackers can trick a telecom company into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you. In addition, you can get your SMS text sent to multiple devices like your phone, tablet, and computer. So if you aren’t in possession of each of those devices, you risk someone else seeing those messages.

In the webinar, we provide a more detailed overview of the methods and provide examples of each.

If I already have an authentication method in place, am I fulfilling Salesforce’s requirement?

If you’re using a security key, authenticator app, or have MFA enabled as part of a third party SSO, you’ll be in compliance with the new requirement. Salesforce supports any authenticator app that uses the U2F framework, the FIDO2 web auth framework. So even if you have an authenticator app from Microsoft for example, it will fulfill the requirement for Salesforce.

If you're using SMS, you may want to think about transitioning to something more secure, like an authenticator app or security key to make sure that the two-factor authentication is as strong as it can be.

How do I actually implement MFA in Salesforce?

Once you have an MFA solution in place (authentication app, security key, SMS, etc.), it’s recommended that you take a phased approach. Migrating all of your users to MFA at once would be an admin's worst nightmare, simply from a support perspective.

To help inform your phased approach, you need to first take an inventory of your users. Your pilot users should be people that are quick to adopt change. Then, define your cohorts as you roll more people out. This could be based on region, department, or several other factors. In the webinar, we share how Own Secure can help with this step.

Change management is also an important step in the implementation process. Anytime you have a change that affects every single user, you need to provide support, whether it’s Slack channel or opening a Zoom call that people can just jump on and off whenever they have questions.

And then finally, you want to be able to monitor how people are switching over to the MFA. This is another area where Own Secure can help.

Fortify your data security with Own

While the new MFA requirement is a significant step in enhancing the security of your Salesforce environment, it’s just one piece of the puzzle. Because the data within Salesforce is ever-evolving, it will undoubtedly continue to put stress on your security posture. In addition, threats like misconfiguration of security and access controls, leaked user credentials, accidental or malicious deletion of data and other vulnerabilities continue to pervade.

Own Secure strengthens your organization’s security posture by identifying data exposure risks and proactively automates securing of your data – all within a managed package built natively on the Salesforce platform.

In addition to helping make your MFA implementation easier, Secure can help you:

  • Identify data exposure risks: Strengthen security posture by understanding data exposure risks through six security lenses
  • Classify sensitive information with ease: Isolate exactly where sensitive information exists in Salesforce and easily apply classification categories to prioritize remediation – without leaving Salesforce.
  • Accelerate Salesforce Shield effectiveness: Proactively automate remediation of data vulnerabilities and encryption blindspots with detailed action plans and real time alerts.
  • Prove compliance with industry regulations: Deliver real time evidence-based reports and audits to satisfy internal policies and external regulations in highly regulated industries.


Want a better idea of your organization’s Salesforce security posture? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Own Company
Marketing

Tagged
Salesforce
Security

You may also like

Data Activation

Why Your Backups Are a Goldmine for Training AI Models

Backups possess several unique qualities that make them ideal for overcoming the challenges associated with handling large datasets and fueling AI models.

Backup and Recovery

What's the Difference Between Business Continuity and Disaster Recovery?

While the two terms are often used interchangeably, there are differences between disaster recovery and business continuity that all orgs should know.

French Blog

Protection des données cloud : pourquoi est-ce devenu un enjeu IT critique ?

A l’occasion de l’évolution de sa marque, OwnBackup, devenue Own Company, a eu l’occasion par la voix de Nessim Makhloufi, Area VP grands comptes EMEA & APAC, de revenir sur les enjeux de la protection des données cloud. 

Salesforce
Salesforce
Salesforce
Security

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo
Office: 646.503.5100info@owndata.comContact Us
linkedinYouTube
Data Protection Platform
Products
Backup & RecoveryData SecurityData SeedingData ArchivingProduct Overview
Cloud Solutions
SalesforceMicrosoftServiceNowAWSVeevanCino
Solutions by Persona
CRM Platform OwnersCompliance LeadersCISOsTechnical Leaders
Resources
BlogEventsOn-DemandeBooksData SheetsOwn+All Resources
Company
About UsCareersPartnersNewsroom
Support
Knowledge BaseCall Back RequestSubmit a TicketSupport PolicySupport & Services
PricingCustomers
LegalPrivacy NoticeJob Applicant Privacy Policy
and Notice at CollectionSLATerms of ServiceTrustVulnerability Disclosure PolicyEnvironmental Policy
© 2024 Own Company. All rights reserved.
Products
Solutions by Persona
COMPANY
CUSTOMERS
Cloud Solutions
Resources
support
pricing
Legal
Office: 646.503.5100info@owndata.comContact Us

© 2024 Own Company. All rights reserved.

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Deny
Accept
Cookie preferences