Salesforce MFA Requirement: The Most Common Questions Answered

Editor’s note: This post was updated in February 2023, with the latest information and resources. 

The increase in cybercrime — and particularly ransomware attacks — driven by employees accessing corporate databases from any device or location has forced many companies to prioritize login security. That includes Salesforce, who, as of February 1st, 2022, is requiring all of its customers to enable multi-factor authentication (MFA) in order to access its products.

To help customers make the transition to MFA a little easier, we recently held a webinar on MFA requirements,  which includes tips for implementation and adoption. Here are the top questions from that session, along with our answers. 

MFA is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. One factor is something the user knows, such as their username and password. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key. 

This is different from knowledge-based authentication, or KBA, which confirms identity by asking questions like, "what's your mother-in-law's maiden name?” While this is an extra security step, it's also known information that someone could look up on social media.

Because MFA requires dynamic data (a time-based one-time password, a security key, etc.), it’s a much more effective tool for enhancing login security and safeguarding your business and data against security threats. 

While authentication and authorization are both integral to security, there is an important distinction between the two. Authentication is proving you are who you say you are, and that's done through identity. Once you prove who you are, authorization entails what rights, access, and entitlements you have to specific data and functionality. Within Salesforce, authentication is done with your username and password, while authorization is set by things like your profiles, and system permissions.

The reason why authentication is so important is that even if you have a well-designed authorization model, once a bad actor takes over your identity, they then have access to all of the things that your authorization applied to.

The four main methods are SMS, an authenticator app, security keys, and built in authenticators. Of the four, SMS is the most frequently used additional factor because almost everybody has it, and it’s relatively easy to manage. However, it’s also the least secure. Attackers can trick a telecom company into transferring a phone number to the attacker’s SIM card, meaning the security codes get sent to them instead of you. In addition, you can get your SMS text sent to multiple devices like your phone, tablet, and computer. So if you aren’t in possession of each of those devices, you risk someone else seeing those messages.

In the webinar, we provide a more detailed overview of the methods and provide examples of each.

If you’re using a security key, authenticator app, or have MFA enabled as part of a third party SSO, you’ll be in compliance with the new requirement. Salesforce supports any authenticator app that uses the U2F framework, the FIDO2 web auth framework. So even if you have an authenticator app from Microsoft for example, it will fulfill the requirement for Salesforce.

If you're using SMS, you may want to think about transitioning to something more secure, like an authenticator app or security key to make sure that the two-factor authentication is as strong as it can be.

Once you have an MFA solution in place (authentication app, security key, SMS, etc.), it’s recommended that you take a phased approach. Migrating all of your users to MFA at once would be an admin's worst nightmare, simply from a support perspective.

To help inform your phased approach, you need to first take an inventory of your users. Your pilot users should be people that are quick to adopt change. Then, define your cohorts as you roll more people out. This could be based on region, department, or several other factors. In the webinar, we share how OwnBackup Secure can help with this step.

Change management is also an important step in the implementation process. Anytime you have a change that affects every single user, you need to provide support, whether it’s Slack channel or opening a Zoom call that people can just jump on and off whenever they have questions. 

And then finally, you want to be able to monitor how people are switching over to the MFA. This is another area where OwnBackup Secure can help.

While the new MFA requirement is a significant step in enhancing the security of your Salesforce environment, it’s just one piece of the puzzle. Because the data within Salesforce is ever-evolving, it will undoubtedly continue to put stress on your security posture. In addition, threats like misconfiguration of security and access controls, leaked user credentials, accidental or malicious deletion of data and other vulnerabilities continue to pervade.

OwnBackup Secure strengthens your organization’s security posture by identifying data exposure risks and proactively automates securing of your data – all within a managed package built natively on the Salesforce platform.

In addition to helping make your MFA implementation easier, Secure can help you:

• Identify data exposure risks: Strengthen security posture by understanding data exposure risks through six security lenses
• Classify sensitive information with ease: Isolate exactly where sensitive information exists in Salesforce and easily apply classification categories to prioritize remediation – without leaving Salesforce.
• Accelerate Salesforce Shield effectiveness: Proactively automate remediation of data vulnerabilities and encryption blindspots with detailed action plans and real time alerts. 
• Prove compliance with industry regulations: Deliver real time evidence-based reports and audits to satisfy internal policies and external regulations in highly regulated industries.

Want a better idea of your organization’s Salesforce security posture? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.