Are You Ready for the Salesforce MFA Requirement?
Ryan Rowcliffe, Field CTO, HYPR
5 Min. Read | December 21, 2021
Salesforce is requiring all customers to implement MFA by February 2022. Here’s what you need to know about the upcoming Salesforce MFA requirement.
Salesforce, the world’s largest customer relationship management (CRM) software provider, helps organizations maximize their revenue and improve their customer experience. However, the vast quantity of high-quality data (such as personal and billing info) that customers hold in their Salesforce accounts also makes the platform a significant target for cyberattacks.
Why Salesforce is Requiring MFA
Account takeover and data theft through Salesforce can seriously damage a brand’s reputation and disrupt operations. As with any password-based login systems, Salesforce accounts can be compromised by phishing and various types of credential attacks. Moreover, Salesforce customers are being specifically targeted by attack campaigns designed to steal their user credentials.
Salesforce itself has been accused of not doing enough to protect customers and data. To counter these threats, Salesforce is mandating the use of multi-factor authentication (MFA) to access Salesforce products starting February 1, 2022. The requirement is a proactive step to reduce the risk for Salesforce and its customers and is a sign that the corporate world finally recognizes the need to move beyond password-only logins.
What is the Salesforce MFA Requirement?
The sharp rise in cybercrime over the past two years, increasing data regulations and the transition to less secure remote work environments together have made strong authentication a business necessity. MFA adds an extra layer of protection to the authentication process and is one of the most meaningful, basic security measures you can take given the inherent weakness of password-based sign-in methods. Going further, the Salesforce MFA requirement is a contractual obligation that customers must meet in order to access Salesforce products.
MFA, as a login approach, requires two or more different and independent types of verification factors. These can be a combination of:
- Knowledge – Something the user knows, such as a password, PIN or one-time password (OTP)
- Possession – Something the user has, such as an authenticator app or security key
- Inherence – Something the user is, which is biometric data like face, eyes or fingerprints
It’s important to note that Salesforce does not allow email, SMS messages or phone calls as MFA verification factors since these are easily compromised by cyberattackers.
Implementing the Salesforce MFA Requirement
Implementing MFA requires significant changes to customers’ Salesforce policy and login procedures. While February 1, 2022 turns on the Salesforce MFA requirement as far as contract scope and legal obligations, customers will not be shut out of their accounts at that date. Admins will be able to turn on MFA for logins once their own appropriate authentication protocols have been decided, i.e., which verification methods will be used and how they will be implemented. However, at a set point in time, depending on the Salesforce product, Salesforce will auto-enable MFA for people who log into products directly.
Salesforce provides flexibility as far as acceptable implementation methods. Customers that use single sign-on (SSO) can implement MFA through their SSO provider. Basic SSO does not satisfy the MFA requirement, but most providers offer an MFA capability or you can integrate an alternative MFA solution with your SSO, such as passwordless MFA.
For non-SSO users, MFA can be enabled within Salesforce products, or using a limited number of third-party authenticators. To assist admins with preparation, rollout and management, Salesforce has produced extensive documentation on their MFA requirement and other resources such as a free Salesforce authenticator app.
Note that currently, unlike for direct logins, Salesforce will not enforce MFA for SSO. However, there may be legal ramifications for being out of compliance.
Deployment Challenges for Businesses
Though the Salesforce MFA requirement benefits the company and its customers in terms of security, it raises significant challenges for businesses.
- User friction: A multi-step MFA login process can be a frustrating user experience that leads to adoption resistance. This is compounded when employees are required to use multiple authenticator apps and adhere to varying MFA policies.
- Cost: This includes both initial costs for implementation and any hardware, such as security keys, as well as ongoing management factors, such as IT costs when users suffer access issues.
- Lost Productivity: An additional factor means it takes employees longer to access the applications and systems they need to do their work. Login issues add even more wasted time.
On top of these issues, MFA makes authentication more secure but it isn’t a cure-all. Some MFA verification methods can be bypassed by cybercriminals through sophisticated phishing approaches, SIM-swapping, man-in-the-middle (MitM) and other threats.
Can You Use Passwordless Methods?
Depending on the solution, passwordless technology can help organizations meet Salesforce and other MFA requirements while providing a simpler, faster and more secure authentication process. Many passwordless solutions do not require any hardware beyond the mobile device a person already carries.
Passwordless authentication replaces the knowledge-based factor, the password, with something you possess and something you are. Some passwordless approaches use only one factor, such as a biometric, so do not meet the Salesforce MFA requirement. Passwordless MFA, on the other hand, combines two or more independent authentication factors, such as facial recognition (inherence) and an authenticator app (possession).
Even within the Passwordless MFA category, however, solutions vary widely. Some require hardware security tokens or keys, adding costs and complications to the login process. Others rely on sending a secret, such as emailing or texting an OTP or TOTP (time-based one-time password), making them susceptible to the same security issues as passwords and out of compliance with the Salesforce MFA requirement.
True Passwordless™ MFA, based on public key cryptography, completely removes shared secrets to make accounts more resistant to hacking. The identity verifiers, e.g., biometrics or decentralized PIN, unlock a private-public cryptographic key pair to use for the authentication process. No secrets are ever shared between the user and authenticating server.
HYPR Helps You Meet the Salesforce MFA Requirement
HYPR True Passwordless Security® integrates seamlessly with your SSO provider and enables complete compliance with the Salesforce MFA requirement without introducing additional verification steps. HYPR lets you quickly roll out MFA while reducing the burden on support systems and improving the user experience.
Field CTO, HYPR
Ryan Rowcliffe is a technologist with over 20 years in the information technology industry. He has spent the last 7 focused on Identity Access Management, Multi-Factor Authentication and Passwordless MFA solutions. Ryan loves solving business problems with modern innovation mixed with known solutions.