- Feature: Multi-Factor Authentication for Salesforce
- When Required: February 1, 2022
- Requires Configuration: Yes
- Difficulty: Easy
- Benefit: Increased Salesforce data security
With the exponential growth into remote work environments and uptick in hacking and pfishing, it is critical for you to enhance the security of your Salesforce deployment. Salesforce aims to protect your data with the requirement of Multi-Factor Authentication (MFA).
When is the MFA Deadline?
Salesforce is set to make MFA mandatory on February 1, 2022 and most organizations are preparing to make the move now. You won’t want to wait until the last moment to get MFA setup. Get MFA set up now to avoid the mad dash at the deadline. See Salesforce announcement.
Who does the MFA requirement affect?
All internal users who log into Salesforce or Salesforce partner solutions will need to begin using MFA by the February 1, 2022 deadline. This will not affect your external users, such as those on your Experience Cloud sites (communities) or help portals.
We already use Single Sign-On (SSO). Do we need MFA?
To put it simply, you will still be obligated with Salesforce to implement MFA by the 2/1/2022 deadline. However, Salesforce is allowing SSO clients to implement their own MFA outside of Salesforce.
What this means is: Salesforce is allowing you to implement your SSO provider’s MFA solution, without also requiring a separate Salesforce MFA implementation.
Keep in mind that if you have a combination of users – some using SSO and others not – you will still need to implement Salesforce MFA for those who do not use SSO.
Why Multi-Factor Authentication?
You may be most familiar with 2 Factor Authentication, or 2FA, which is actually a subset of Multi-Factor Authentication (MFA). While this does increase security, MFA focuses on two or more METHODS of authentication… more methods = more security.
What verification methods are approved for MFA?
These methods DO work for MFA:
- Salesforce Authenticator mobile app
- Time-based one-time passcode (TOTP) authenticator apps
- Security keys that support WebAuthn or U2F
- Built-in authenticators (think: fingerprint or facial recognition)
These familiar methods DO NOT work for MFA:
- One-time passcodes sent via phone, text or email
- Security questions
What do you need to do?
All Salesforce clients should make sure MFA is enabled before the February 2022 deadline. Refer to the 36 page Multi-Factor Authentication Quick Guide for Admins for details on how to enable.