In February 2022 Salesforce made it mandatory to use Multi-Factor Authentication (MFA) to increase the security of its platform. However, many users are still not setting up this method today. Therefore, its forced use will begin in the coming months within all orgs. In S4G we can help you analyze all the information you need to have your Salesforce platform fully protected.
What is Salesforce MFA and when does it start?
MFA or Multi-Factor Authentication is one of the simplest and most effective tools to improve the security of logins against security threats such as phishing attacks, keyloggers, credential theft…
It provides an extra layer of security to the login procedure, requiring an additional test or factor to ensure that the user really is who they say they are.
In addition to using the username and password (something you know), we need to provide something you have, for example a cell phone or a security key. In this way, the combination of “something you know” and “something you have” makes access to the system much more secure.
MFA Salesforce forced use dates for 2023
As of February 1, 2022, Salesforce began asking its customers to use MFA to access their products. All internal users who would like to access the system through the user interface should use MFA to validate login. However, while mandatory, many users did not activate it at the time. Therefore, during 2023 Salesforce has programmed dates for different products and solutions for which the use of MFA in the platform will be forced. So, at the end of 2023, any and all Salesforce users will have MFA enabled. Here are the forced use dates for each solution and product in 2023:
- Products built on Salesforce Platform: September 2023.
- MuleSoft Anypoint Platform: Second half of 2023.
- Tableau Online: April 17-21, 2023.
The remaining products and solutions have already established the forced use of MFA throughout 2022.
Salesforce MFA Verification Methods
We have multiple verification methods compatible with MFA in Salesforce. Each administrator will be able to configure the ones he/she considers appropriate for his/her organization.
- Salesforce Authenticator
This is a Salesforce Mobile App that allows you to verify the login from your cell phone.
The operation is simple: Every time the user enters his Salesforce username and password, he will receive a notification in the Salesforce Authenticator application. The user can then confirm that it was him or refuse access.
It also has the advantage of being able to configure “secure locations” such as the office or home. This way, if we are in one of these locations, access to Salesforce will be automatic.
- External authentication applications
There are third-party applications such as Google Authenticator or Microsoft Authenticator that also allow you to confirm Salesforce logins in a similar way to Salesforce Authenticator.
- Security keys
It is possible to use a security key (USB) to manage the MFA. These keys are physical security devices that can be purchased in multiple markets. Each user must have their own key and insert it into the computer to verify login.
- Integrated authenticators
Finally, it is also possible to use our own biometric authenticators available on our devices (such as the fingerprint reader, Windows Hello, Touch ID or Face ID) to secure our login.
Is Salesforce MFA mandatory?
As we said at the beginning, on February 1 we must activate MFA to strengthen the security of our organizations. At the moment it will not be a fully mandatory measure, but failure to activate it would mean that we would not be complying with Salesforce’s contractual conditions.
If you don’t know if your implementation meets the Salesforce MFA requirements, you can complete this questionnaire that reviews key aspects of your organization’s security.
In addition, you can find all the information about MFA in the FAQ that Salesforce has prepared about it. And if you have any questions about how to activate MFA in your system, do not hesitate to contact us.