Salesforce Requiring Multi-Factor Authentication

In the future

A few of my clients have reached out recently about the emails they’ve received from Salesforce saying they are going to require Multi-Factor Authentication (MFA). I thought it’d be a good idea to put some thoughts together on this, since it sounds like they’re forcing something on us.

Is it really required?

Yes, Salesforce is actually requiring this. That includes you.

But will it be required for everyone"?

Good question! Yes, really for everyone who logs in via the user interface.. Okay, now you can stop panicking; your integrations don’t use the GUI, so they will still be able to log in and run without waking you up in the middle of the night to get an authentication code or something. All users will be required to confirm their identity using a second method.

Alternatively: You CAN get around this by using Single Sign-On (SSO). You can use Google (like I do), Office 365, Microsoft Exchange, and many other Single-Sign on options. Because this offloads the authentication to something other than Salesforce, Salesforce can use the hand-sanitizer and declare themselves free of responsibility for authentication, so MFA vaporizes.

Why are they doing this to me?!?!?!?

There’s a great Q&A here from Salesforce, but the nutshell is that the threats to your org’s data are increasing every day, and passwords are just not secure enough anymore. Everyone knows that passwords can be shared super-easy, and many of us have them stored on sticky notes or in Google Sheets or something, and almost all of us use the same password all over the place, so if your password were to be exposed by one of the almost-daily hacks or data breaches, virtually all of your data would be fair game. So, as much as I hate to say it, we’ve got to do this.

*SIGH* Ok, how does it work?

MFA requires at least 2 ‘factors’ to be verified before granting access to the system. One factor is something that a user knows, such as their password. Other factors are typically something that a user has in their possession, such as their phone, or an authenticator app, or even a dongle with a rotating security code. So you’ve got lots of options for that second factor, including Salesforce’s own “Authenticator”. The way that works is, when you enter your username and password, you will be prompted to enter a code. Then you pull out your phone, open the Authenticator App, choose your org (if you have more than one), and enter the displayed code. Then boom, you’re in.

What does it cost?

There ARE some third-party authentication apps that cost money, such as the one I mentioned with the dongle with the rotating code, but if you use the Salesforce Authenticator app, it doesn’t cost you anything except the few seconds you have to spend each time you log in to enter that code.

What do I have to do?

You have to choose an authentication method, provision it, and then enable it in your org. Sounds simple, right? Well, there are some great Trailheads to show you more and to get you going. I definitely recommend starting with a sandbox first. Here’s a trailhead to get you started: User Authentication Trailhead

When do I have to do it?

This is the real important info, so it shouldn’t be at the bottom of this article, so I think I will copy this to the top, but you don’t have to do this until February 2022. They’re giving us plenty of notice.

Still have questions?

Great, I’m happy to help. Just click over to the Contact link at the top of the page and drop me a line.