If you need any help enabling MFA, please Contact Us
As cyberattacks grow more common, passwords no longer provide sufficient safeguards against unauthorized account access. Multi-Factor Authentication (MFA) is important as it adds an extra layer of protection against threats like phishing attacks, increasing security for your organisation.
From the 1st of February 2022, Salesforce will require all customers use MFA. This means that all your internal Salesforce users will need to adopt one of the methods listed below to log in to your Salesforce Live Production environments. This requirement does not currently apply to external Salesforce users or Chatter Only users.
- Salesforce Authenticator Mobile App on a mobile device
- Third-party Authenticator App (Microsoft, Google, etc) – Time-based One-Time Password (TOTP) on a mobile device
- U2F Security Key (Google Titan, YubiKey)
- Single Sign-On (SSO) (Microsoft Active Directory, Azure AD, OneLogin, Duo, RSA, etc)
NOTE: From the 1st of February, you will not be able to use Email or SMS for MFA as this no longer meets the new security requirements.
NOTE: Salesforce have announced they will relax the MFA policies on Sandboxes (see note at the end of this document).
If your organisation already uses Single Sign-On (SSO), Salesforce’s enforcement of MFA shouldn’t affect you. When you set up SSO, you configure one system to trust another to authenticate users, eliminating the need for users to log in to each system separately.
For example, you can configure Microsoft Active Directory to authenticate users accessing your Salesforce org. Users login to your org using their MS AD credentials, trusting Microsoft to comply with Multi-Factor Authentication. The user will not be prompted again by Salesforce during the login attempt and as such this MFA requirement will not affect end-users where SSO is being used.
For the purposes of this document, we have assumed that most of our customers will be using the Authenticator Apps, with our recommendation being the Salesforce Authenticator App. As such, the following is an Administration Guide to implementing this feature.
Salesforce MFA Enablement Steps
Step 1: Verify that the session security level is set for multi-factor authentication
First, let’s make sure that the right security level is associated with the multi-factor authentication login method. In most production orgs, this setting is already in place. But if it’s not, it’s important to do this step before you set up MFA for any users.
From Setup, enter ‘Session Settings’ in the Quick Find box, then select Session Settings.
Under Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance category.
Step 2: Create a permission set for multi-factor authentication
You enable MFA for users by assigning the ‘Multi-Factor Authentication for User Interface Logins’ user permission. You can do this step by editing individual profiles or by creating a permission set that you assign to specific users.
Let’s create a permission set with the MFA permission.
- Login as a system administrator
- From Setup, enter ‘Permission’ in the Quick Find box, then select Permission Sets.
- Click New.
- Label the permission set “MFA Authorization for User Logins”.
- Click Save.
- Under System, click System Permissions.
- Now you’re on the detail page for the MFA Authorization for User Logins permission set.
- Click Edit.
- Select Multi-Factor Authentication for User Interface Logins.
- Click Save, then Save again to confirm permission change
Step 3: Assign the permission set to the users
- On the detail page of the new permission set, click Manage Assignments.
- Click Add Assignments. On the list of users, select the checkbox next to each user’s name. (If you wanted, you could assign up to 1,000 users at a time.)
- Click Assign.
Now you’ve turned on multi-factor authentication for these users, the next time they login, they will be prompted to provide a verification method as a second factor, in addition to their username and password.
NOTE: As an Administrator, it is a good idea to do this on your User Account first, otherwise you could prevent yourself or other admins from logging in.
Notes on Authentication Apps
Your users may use multiple Authentication Apps on their mobile devices. While we recommend the Salesforce Authenticator App, it is also possible to use “One Time Password” apps like Google Authenticator or Microsoft Authenticator.
The main benefit of the Salesforce Authenticator Application is that it does not require the user to manually transfer the 6-digit code from their mobile device to the computer, it does this automatically when they click the “Approve” button. We found this to be a simpler and quicker process when compared to the other Authentication Apps.
If users don’t download an app right away, it’s not a disaster. They’re prompted to register a verification method when they log in for the first time after you turn on the MFA requirement.
Step 4: Using MFA for the First Time as an End User
In this step, the user will be jumping back and forth between their phone and the computer they are using to login to Salesforce. When on their PHONE, they are in the Salesforce Authenticator app. When on their DESKTOP, they are in their chosen web browser.
- Download and install the Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
- Tap the app icon to open Salesforce Authenticator.
- User enters username and password to log in to your Salesforce Production Org.
- Salesforce prompts them to connect Salesforce Authenticator to their account.
- Page through the tour to learn how Salesforce Authenticator works.
- User enters their mobile number to create a backup of the accounts that are connected to Salesforce Authenticator.
- Salesforce will send a verification text message. User clicks the link in the text message to complete the verification.
- Set a 4-digit passcode in Salesforce Authenticator.
- Tap to add an account to Salesforce Authenticator. The app displays a two-word phrase.
- Enter the phrase in the Two-Word Phrase field.
- Click Connect.
- Salesforce Authenticator shows details about the user’s account: Their username and the name of the service provider—in this case, Salesforce.
- Tap Connect.
- The user is now logged in to their Salesforce account!
- Now, whenever they login to their Salesforce account, they will get a notification on their phone. Open the Salesforce Authenticator App and check the activity details. If everything looks right, Approve and finish logging in.
If someone else were to try and log in with the same username and password, the user gets a notification about that too, and can tell Salesforce Authenticator to deny the login request.
Automate the Authentication Process
Continuously needing to tap Approve on their phone to get into Salesforce could get old after a while.
However, if your users regularly log in from the same place, such as the office, home, or favourite coffee shop, there is a way to improve usability. Providing they let Salesforce Authenticator use their phone’s location services, they can tell the app to verify their activities automatically when they’re in a particular spot. Salesforce Authenticator can handle the MFA requirement for them automatically!
DESKTOP: Log out of the user’s account and then login again.
PHONE: At the prompt, select “Always approve from this location”
DESKTOP: Log out of the user’s account and login again. Voila! You’re not prompted for a password.
Salesforce Authenticator recognizes that the user is logging in to their Salesforce account again using the same device and at the same location. Access is granted automatically.
What Happens If a User Loses their Mobile Phone?
If a user loses their phone, gets a new one, or accidentally deletes Salesforce Authenticator, they have a few options. They can either restore their accounts from the backup they made earlier, or you can disconnect their account from Salesforce Authenticator and then re-register the app.
If the user enabled account backups in their Salesforce Authenticator app, all they need to do is reinstall Salesforce Authenticator on their new phone, they’ll see the option to restore their account.
If the user didn’t back up their accounts, you can disconnect their account as follows:
- Log in to Salesforce as an administrator.
- From Setup, enter ‘Users’ in the Quick Find box, then select Users.
- Click the user’s name.
- On the user detail page, click Disconnect next to App Registration: Salesforce Authenticator.
The next time the user attempts to login, if they don’t have another verification method connected, they are prompted to connect Salesforce Authenticator again.
Microsoft Outlook Client
If you use the Outlook connector to file emails in Salesforce, enabling MFA means that you will need to also authenticate that access. Indeed, if you don’t pin the Salesforce sidebar, as described below, you will need to authenticate access every time you file an email.
Open the Outlook connector and use the pin to keep it open. While it stays open you won’t need to verify each time you use it.
If your Salesforce license includes sandboxes, we strongly recommend using MFA for these environments — especially if they include any intellectual property, customer data, or other Salesforce production data.
However, Salesforce has had a lot of feedback and acknowledges that with currently available functionality, it can be challenging to manage MFA for sandboxes. As such, they have modified the requirement that goes into effect on February 1st 2022, so MFA won’t be required for sandbox environments.
Note: Sandbox environments for B2C Commerce Cloud are not excluded from the MFA requirement. Also, for products such as Marketing Cloud that don’t have sandboxes, even if you have tenants, orgs, or instances that are used solely for testing purposes, MFA is required for these environments.
In the future, after Salesforce has released features that make it easier to manage MFA for sandboxes, they have said that they will reinstate the requirement for these environments.