What is Salesforce's Multifactor Authentication Policy?

Early last year, Salesforce announced that they would be requiring their customers to use multi-factor authentication (MFA) on all Salesforce products, beginning February 1, 2022. With less than a week before this new cybersecurity measure is implemented, we wanted to walk you through the benefits of MFA and how you can get your users comfortable with the technology on the Salesforce platform. 

What Is Multi-Factor Authentication?

MFA requires two or more verification factors when logging into an application. These factors fall into three categories: something the user knows, something they have, or something they are. Usually, one of the factors will be your username and password — while the other factor might be something like a security key or an authenticator app (something you have), personal security questions (something you know), or your fingerprint (something you are). 

Salesforce uses the example of a credit card — the first factor is the card itself, while the second factor is your PIN. Of course, in the modern age of cybersecurity, we use MFA much more often than you think; take your cell phone for example — Apple implemented the fingerprint authentication, also known as Touch ID, way back in 2013.

Why is Multi-Factor Authentication Important?

MFA adds an extra layer of protection to your Salesforce Org by making common threats like phishing attacks, credential stuffing, and account takeovers more challenging for cyber criminals. While there is always a risk that your password will be compromised, it's very unlikely that someone can also gain access to a second verification method like a security key or authentication app. 

In 2017, Google cited that hackers steal close to 250,000 web logins each week. Any incident can be extremely dangerous for an organization (or for an individual) — and the reality is that in the five years since this study was released, this number is likely much higher now. 

By enforcing a multi-step approach to logging into the platform, Salesforce has not only made it harder for cyberattacks to succeed, but has created trust in the Salesforce community that their data is protected against external risks. 

The Benefits of MFA 

Reduces fraud and identity theft. As we mentioned before, MFA reduces the threat of phishing attacks and account takeovers by adding an added step in your login process. While cyber criminals might obtain your username and password, they won’t have your external authentication app!

Helps organizations achieve compliance. Many industries are under strict requirements to protect consumer rights and mitigate risk — and this added layer of protection is a good indication for governing bodies that your organization is taking it seriously. 

Increases customer trust. Customers like to know that their data is safe, and appreciate businesses taking extra precautions to ensure they’re protected against cyber attacks. PWC's Consumer Intelligence Series: Trusted Tech Report shows that 52% of global consumers would leave a platform for one that better protects their data — and while some people might find MFA annoying, it’s ultimately one of the most reliable means of data protection for businesses.

Simplifies the login process. While some types of MFAs, like personal security questions, might make a users login process longer, others, like authentication apps, actually streamline login activity by sending time-sensitive PINs to their mobile device via SMS or push notifications. 

What Types of Verification Methods Satisfy the New MFA Requirement in Salesforce?

Salesforce details a few different methods that you can use for MFA. They are as follows:

  • Salesforce Authenticator
    This is an external mobile application, available for iOS and Android, that can easily connect to your Salesforce account. This authenticator delivers push notifications to users’ phones for fast access, and also allows you to deny fraudulent requests. 
  • Third-Party Authenticator Apps
    There are a wide variety of third-party applications to choose from, but some popular options are Google Authenticator, Okta Adaptive MFA and Authy. The main benefit of using a third-party solution instead of Salesforce's proprietary app is the ability to use a single app for multiple platforms — not just Salesforce but Gmail/Google Workspace, Zoom, accounting software, etc.
  • Security Keys
    Security keys are physical devices that can be scanned or inserted into your computer as a USB.  Users love this option because there is no installation and no codes to enter — and this type of method is great if users don’t have a mobile device or if phones aren’t allowed where your users work. Popular options include the YubiKey from Yubico and the Titan Security Key from Google.
  • Built-In Authenticators
    This type of verification method relies on built-in mechanisms rather than users needing a separate authenticator app or physical security key. Users can easily verify their identity with fingerprint, iris or facial recognition scan, or a PIN or password. Some popular options are Windows Hello, Touch ID or Face ID. 

Overall, multi-factor authentication is one of the most reliable ways to combat cyber attacks. Whether organizations continue working from home or attempt to go back into the office, it is critical that they protect their data from threats with methods like MFA. 

Click here to learn about Strongpoint’s security tools for Salesforce — or get in touch with a team member to book a demo today!