More than ever, as technologies adapt and advance, we must be aware of how to protect ourselves from dangerous malware or potential breaches in security. Information both personal and professional is extremely important to keep secure and is key in keeping your company running efficiently. So how do you protect yourself and your company from potential breaches in security? In comes MFA, or Multifactor Authentication.
We found that while Salesforce continues to release information on MFA, it can sometimes be overwhelming and confusing. In this piece, the first of a new series we are releasing around all things MFA, we are breaking down the basics of MFA. What it is, why it’s important, who it’s for, and when it needs to be updated in all Salesforce orgs. So let’s dive in!
What is MFA?
MFA, or Multifactor Authentication, is basically what it says it is. It’s an extra layer of authentication to better secure login information and thus secure your orgs. MFA is a combination of “what you know”, “what you have”, and “what you are”.
What You Know:
This is something that you know. Like a Pin number, or a time based one time password.
What You Have:
What you have is something physical, a tangible thing. For example a security key or a device (i.e. a phone) that has an authentication application.
What You Are:
This is the most secure form of authentication. What you are consists of something that (usually) will not change about you. Like your fingerprints, retinal scans or a scan of your face.
With that being said, Salesforce does only allow a few different types of Multifactor Authentication. Right now, they allow Time-based one time passcodes, authenticator applications, and security keys. They will not allow phone calls, emails or SMS verification because those are usually the most easily intercepted types of MFA. Keep in mind that while “What You Are” may be overall the most secure form of authentication, it doesn’t mean that it’s the most appropriate form for you and your salesforce orgs. What Salesforce allows is really all you need and it doesn’t make for a super confusing and complicated implementation process (stay tuned for an upcoming article where we discuss the How-to implementation process).
Now that you know what MFA is, let’s discuss why it’s important.
Why MFA?
MFA is a critical piece of cybersecurity. If your email, phone, or password are compromised, MFA would be one extra step a bad actor would need to take in order to gain access to your accounts. MFA is pushed by security practitioners for everyone but is often overlooked or rejected due to the extra step it would take to login. And we can’t ignore the impact that the pandemic has had on cybersecurity. When everyone went home, companies had to adapt quickly. Not being in an office could mean things like no VPN or no firewall, and no controlled network to keep you and your information protected.
It also means that there’s a chance that you’re now working from the same laptop or computer that your kids or the rest of your family are working on as well. Either way, passwords are being reused and are being compromised along with your usernames. With MFA, it will at the very least add an extra layer of security to prevent people from getting in. It’s possible during that transition to working from home, somewhere in the chaos something could have been missed and you’re not as secure as you thought. So adding that extra layer would never be a bad thing. Now that the dust seems to be settling, it is a great time to look back and see what gaps you have in your authentication process.
When it comes down to the nitty gritty, the bottom line is that malware attacks commonly occur in companies who don’t have MFA enabled. And this can be anyone, it isn’t just multi-billion or million dollar companies. It’s mom and pop shops, schools, local government offices etc. Take the time and spend the money now, to implement MFA before it’s too late and you end up having to spend even more money to recover from a malware attack.
Want to see for yourself? You can check if any of your emails or phone numbers have been compromised here.
Who It’s For?
Short answer – all Internal and Partner Salesforce Users across Salesforce Products. External users will not be forced to use MFA, but it is still recommended. For more information you can check out this Salesforce FAQ page.
How Do I Implement It?
There is no one-size-fits-all solution, you will have to perform research and make decisions on what is best for your organization. We’ll share our expertise on how to do that in a follow-up post. Salesforce has provided their Multi-Factor Authentication Assistant to guide you through the phases of the process; including getting reading, rolling out, and managing. Note: the Learn How features of the Multi-Factor Authentication Assistant will not function until June 12, 2021 in sandboxes. The Multi-Factor Authentication Assistant will help you through the entire process from planning to rollout and adoption!
You can search “Single Sign-On Settings” in Setup to see what you may currently have configured for Single Sign-On. If your Identity Provider (IdP) for your SSO implementation offers MFA, you can enable it with them instead of within Salesforce.
You can see what you may have configured for MFA by searching Session Settings for “Multi-Factor Authentication” in the High Assurance column and Profiles and Permission Sets for the following:
- “Multi-Factor Authentication for User Interface Logins” permission
- “Session security level required at login” session setting, if enabled check the “High Assurance” settings to see what is currently configured
Note: “MFA” was previously known as “2FA” or Two Factor Authentication.
When Does it Need to Be Updated?
MFA is currently available in all orgs! The Multi-Factor Authentication Assistant will be fully functional in sandboxes starting June 12, 2021. And Admins see these alerts when logging in.
The enforcement will be February 1, 2022, for all supported Salesforce products. But don’t wait. Things will break and things will need to be tested. So it’s going to take more than one day to implement.
