Salesforce Now Requires Multi-Factor Authentication for User Protection

About the Author: Joe Faires

February 9, 2022

Salesforce Now Requires Multi-Factor Authentication for User Protection

In 2019, children’s clothing retailer Hanna Andersson experienced a malware attack exposing the personal data and credit card information of more than 200,000 shoppers. The compromised commerce platform responsible for the breach belonged to Salesforce. While incidents like this are rare with Salesforce, cybercrime is becoming a much bigger problem overall. In 2020, 51% of businesses experienced a malware attack. Between January and September of 2021, U.S. data breaches increased by 17% from the prior year. The average cost of each attack: $4.24 million.

Usernames and passwords no longer provide sufficient protection. That is why Salesforce is stepping up its safeguards with multi-factor authentication (MFA). The change goes into effect February 1, 2022. Here’s everything you need to know to be ready for the new requirement.

What Is Multi-Factor Authentication?

When accessing an online account, an authentication process forces you to prove you are who you say you are. Historically a username and password did the trick. But those are too easy for criminals to figure out. Most usernames are emails and people commonly pick simple passwords they can remember. Salesforce is moving to multi-factor authentication in response. Rather than just supplying one piece of evidence, a user must provide two or more. This method combines what a user knows, such as a username and password, with something they have, like a cell phone, to prove their identity. Think of MFA for online accounts like using an ATM. The PIN is something you know while the bank card is something you have.

Why Is Multi-Factor Authentication Important?

In 2020, attackers created 6.95 million new phishing and scam pages. In the most common scheme, the criminal sends an authentic-looking email to a target. The recipient clicks on the email links allowing the attacker to gather his/her username and password. When the timing is right, the hacker accesses the account and gathers personal and financial data. MFA fights against this by requiring an additional authentication method. However, Salesforce is taking an extra step in protection. Rather than just texting a code to a cell phone, Salesforce requires an authentication app that provides the additional information. So, even if an attacker steals a password, they likely cannot guess or access the information from the user’s app. That makes Salesforce highly protected against phishing and other types of cyberattacks.

How does Salesforce MFA work?

Beginning February 1, 2022, customers are contractually required to use MFA when accessing Salesforce products. Salesforce admins can turn on MFA for all users or companies can use their single sign-on (SSO) provider’s MFA service. Once activated, users must provide that second authentication method each time they log in. 

Salesforce recommends its free Authenticator mobile app, which users can download to their cell phone. Prior to February 1, users should register the app and connect it to their account. Each time a user logs into Salesforce, the platform sends a notification to the associated mobile device. Inside the app, the user reviews the details and approves or denies the request. The process is simple, but Salesforce makes it even easier. Users have the option of telling the app to always approve the authentication request from a certain location. Therefore, when accessing Salesforce from home or the office, the app processes the request automatically without any extra user effort. If a data connection is problematic, users can enter a one-time passcode generated by the app. 

In addition to its Authenticator app, Salesforce also supports other verification methods including third-party time-based one-time password apps, physical security keys, and built-in authenticators such as biometric systems. The new MFA requirement does not allow email, SMS text messages, phone calls, or security questions as verification methods because they are easy to compromise or intercept. 

Salesforce initiates the registration process the first time a user tries to log in under MFA. The platform offers a step-by-step process for connecting the company’s selected verification method to the Salesforce account. Once enabled, the user must provide the verification method each time following their username and password.

How Do I Get Ready for MFA?

If you don’t have MFA enabled already, now is the time. After February 1, you could be locked out of Salesforce without it.

First, select the right verification method. Salesforce does not require a one-size-fits-all approach, so companies can mix and match. Review your internal security protocols. The app method might not be ideal for companies with a bring your own device policy or tracking security keys in high-turnover departments might be tricky. Find the methods that work for your business. 

Next, tackle change management. Educate users on the switch and why it is important. Provide tutorials on the set-up process. You can enable MFA by permission set allowing for smaller rollouts within the company. Make the move, document improvements, and activate the next set of users. 

Finally, provide ongoing support. Add new users as they come on board. Monitor for any breaches or problems. Salesforce balanced the user experience with enhanced security by making the process easy. With the right planning, implementing multi-factor authentication can be simple.

#5 – Better Customer Experience

Salesforce’s invoicing efficiencies also improve the customer experience. Companies easily can add a “pay now” button to their invoices. Customers can pay by credit card or direct debit avoiding the hassle of printing and mailing a check. Salesforce also supports a self-service billing and payments portal. So, not only are invoices issued more quickly, but they prompt faster payment as well. 

Salesforce’s 360° view also benefits the customer. When a client calls in, teams can access the customer’s details and offer support, including viewing and resending invoices. An agent can create a customer support case connected directly to the invoice in question. The customization of invoices gives customers all the information they need to quickly pay a bill. Improved accuracy saves customers the hassle of inquiring about invoices. Plus, transparent KPIs help teams proactively work with clients on receivables to avoid contentious collection battles. 

How Do I Learn More?

Check out these great resources for more information on MFA: 

Looking for additional support? The Galvin Technologies team can help you assess current needs, determine the right verification method, activate MFA, and educate users on the switch. Salesforce protects user data. We protect you from everything but a smooth transition to MFA.


We’d love to work with you on your Salesforce needs. Our team of certified Consultants can work closely with your team to close more deals. Call us at 317-297-2910 or complete the form below.

Pardot iFrame Resizing
Share article

Related Articles —

— Also on Galvin Tech —