Salesforce Requires Multi-Factor Authentication for User Protection
In 2019, children’s clothing retailer Hanna Andersson experienced a malware attack exposing the personal data and credit card information of more than 200,000 shoppers. The compromised commerce platform responsible for the breach belonged to Salesforce. While incidents like this are rare with Salesforce, cybercrime is becoming a much bigger problem overall. In 2020, 51% of businesses experienced a malware attack. Between January and September of 2021, U.S. data breaches increased by 17% from the prior year. The average cost of each attack: $4.24 million. Usernames and passwords no longer provide sufficient protection. That is why Salesforce Requires Multi-Factor Authentication (MFA). The change goes into effect February 1, 2022. Here’s everything you need to know to be ready for the new requirement.
What Is Multi-Factor Authentication?
When accessing an online account, an authentication process forces you to prove you are who you say you are. Historically a username and password did the trick. But those are too easy for criminals to figure out. Most usernames are emails and people commonly pick simple passwords they can remember. Salesforce is moving to multi-factor authentication in response. Rather than just supplying one piece of evidence, a user must provide two or more. This method combines what a user knows, such as a username and password, with something they have, like a cell phone, to prove their identity. Think of MFA for online accounts like using an ATM. The PIN is something you know while the bank card is something you have.
Why Is Multi-Factor Authentication Important?
In 2020, attackers created 6.95 million new phishing and scam pages. In the most common scheme, the criminal sends an authentic-looking email to a target. The recipient clicks on the email links allowing the attacker to gather his/her username and password. When the timing is right, the hacker accesses the account and gathers personal and financial data. MFA fights against this by requiring an additional authentication method. However, Salesforce is taking an extra step in protection. Rather than just texting a code to a cell phone, Salesforce requires an authentication app that provides the additional information. So, even if an attacker steals a password, they likely cannot guess or access the information from the user’s app. That makes Salesforce highly protected against phishing and other types of cyberattacks.
How does Salesforce MFA work?
Beginning February 1, 2022, customers are contractually required to use MFA when accessing Salesforce products. Salesforce admins can turn on MFA for all users or companies can use their single sign-on (SSO) provider’s MFA service. Once activated, users must provide that second authentication method each time they log in.
Salesforce recommends its free Authenticator mobile app, which users can download to their cell phone. Prior to February 1, users should register the app and connect it to their account. Each time a user logs into Salesforce, the platform sends a notification to the associated mobile device. Inside the app, the user reviews the details and approves or denies the request. The process is simple, but Salesforce makes it even easier. Users have the option of telling the app to always approve the authentication request from a certain location. Therefore, when accessing Salesforce from home or the office, the app processes the request automatically without any extra user effort. If a data connection is problematic, users can enter a one-time passcode generated by the app.
In addition to its Authenticator app, Salesforce also supports other verification methods including third-party time-based one-time password apps, physical security keys, and built-in authenticators such as biometric systems. The new MFA requirement does not allow email, SMS text messages, phone calls, or security questions as verification methods because they are easy to compromise or intercept.
Salesforce initiates the registration process the first time a user tries to log in under MFA. The platform offers a step-by-step process for connecting the company’s selected verification method to the Salesforce account. Once enabled, the user must provide the verification method each time following their username and password.
How Do I Get Ready for MFA?
If you don’t have MFA enabled already, now is the time. Salesforce Requires Multi-Factor Authentication for all users.
First, select the right verification method. Salesforce does not require a one-size-fits-all approach, so companies can mix and match. Review your internal security protocols. The app method might not be ideal for companies with a bring your own device policy or tracking security keys in high-turnover departments might be tricky. Find the methods that work for your business.
Next, tackle change management. Educate users on the switch and why it is important. Provide tutorials on the set-up process. You can enable MFA by permission set allowing for smaller rollouts within the company. Make the move, document improvements, and activate the next set of users.
Finally, provide ongoing support. Add new users as they come on board. Monitor for any breaches or problems. Salesforce balanced the user experience with enhanced security by making the process easy. With the right planning, implementing multi-factor authentication can be simple.
Now That Salesforce Requires Multi-Factor Authentication, How Can I Learn More?
Check out these great resources for more information on MFA:
- Watch the How Multi-Factor Authentication Works to Protect Account Access video
- Read the Salesforce Multi-Factor Authentication FAQ for answers to every common question
- Use the Multi-Factor Authentication Assistant for step-by-step help in the app
- Don’t miss the Multi-Factor Authentication Quick Guide for Admins on rolling out MFA
- Ease user concerns with the How to Use Salesforce Authenticator video
Looking for additional support? The Galvin Technologies team can help you assess current needs, determine the right verification method, activate MFA, and educate users on the switch. Salesforce protects user data. We protect you from everything but a smooth transition to MFA.
WANT TO TALK WITH OUR CONSULTING TEAM?
We’d love to work with you on your Salesforce needs. Our team of certified Consultants can work closely with your team to close more deals. Call us at 317-297-2910 or complete the form below.