Everyone is on the Internet nowadays. Day in and day out, we see ourselves becoming more and more reliant on the Internet; information is readily available and just a few clicks away, empowering us to make decisions backed by data. In this digital age that we are in now, we see how convenient it is to use the Internet as a platform for conducting our business and other daily activities and at the same time, use it as a reliable and convenient repository of data and information.
As we utilize the Internet more to store our data, it increasingly becomes the target of cybercriminals. Hacking and phishing, among other things, become more and more prevalent on the Internet, and many have already fallen victim to their sinister ways. Cybercriminals become more advanced and adaptive when it comes to bypassing the most common first layer of defense such as usernames and passwords. As cyberattacks become more recurrent it is thus prudent to implement a more secure way to safeguard data against wrongdoers, especially if your platform is being used to handle and process a large amount of data. And by all means, Salesforce is not exempt; it is not a site to take security matters lightly either. This is where their mandatory MFA requirement, or Multi-factor authentication, comes in.
Salesforce is a customer relationship management (CRM) software that provides support in sales, customer service, marketing, and even application development for organizations. Businesses turn to Salesforce to make a better sense of their data and make it work to their advantage. In this day and age, business competition is tight and as such, making business decisions should not be left to chance; they should be calculated and supported by data. Otherwise, competitors will be able to easily trump and edge you out. Salesforce helps produce data-driven results for businesses, as it manages and improves business interactions with consumers by analyzing data and information available to come up with more efficient business solutions.
Multi-factor authentication (MFA) pertains to the requirement for users to verify their identity or credentials two or more times before they can be allowed to log in and access their respective accounts. It means that the days of the basic username-password combo are now over. Aside from requiring users to input their username and password, additional layers of verification are added. One of the requirements, or “factors,” is the user’s basic credentials: his or her username and password. Additional verification methods are those that the user can access or within his or her means, such as an authenticator app or security key.
This added layer of security is deemed necessary by Salesforce to keep user accounts more protected and secured, seeing as the majority of Salesforce clients handle large chunks of data for their respective clients. This could give users a better sense of security knowing that their data is being well taken care of, seeing that information is the most valuable commodity nowadays. Employing MFA reduces, if not totally eliminates, the possibility of hackers or phishers getting into users’ accounts and maintains the integrity of the platform and the data that it contains.
Before, having an additional layer of security for logins was merely optional for Salesforce users, and it was largely the call of the client-admin as to whether they would be imposing additional sign-in requirements for their respective users. Most of the clients and users are content with having just a username and password to protect their login credentials.
However, times have changed, and cybercriminals are becoming more and more cunning with their wicked ways. Thus, on March 15, 2021, Salesforce announced that beginning February 1, 2022, it would require customers to implement MFA in accessing Salesforce solutions or products, without the added cost. Having an MFA is no longer optional and has thus become part of users’ contractual obligation to Salesforce; therefore, compliance becomes compulsory.
The requirement of MFA implementation becomes every customer’s contractual obligation as covered by Salesforce’s Trust and Compliance Documentation. This means that customers are now legally bound to implement MFA. To better understand the repercussions, Salesforce advised users to seek legal consultation so as not to miss anything when complying with their commitment in accordance with the terms and conditions of their agreement.
Salesforce likewise announced its intention to make MFA a permanent part of the platform’s login process; it will no longer be optional for user admins to implement this. As such, they released an MFA-enforcement roadmap to serve as a guide on projected enforcement dates of auto-enablement, as this varies per product. But no need to fret! MFA’s auto-enablement won’t take you by surprise. Salesforce assures users that they’ll be sending out notices in advance – at least a minimum of six months before MFA becomes automatically enabled in their products’ respective logins. These notices thus ensure that users are given ample time to comply with this mandatory requirement.
To better understand the coverage of the MFA requirement, it’s important to understand the two basic types of Salesforce users: internal users and external users.
Internal users are users that operate using standard user licenses. These users usually have access to Salesforce’s user interface as admins, developers, privileged users, and users that are authorized to act on behalf of his or her company. Internal users are required to implement MFA to be able to log in to Salesforce’s platform.
On the other hand, external users are users that can only access their company’s Experience Cloud sites, employee communities, help portals, or e-commerce sites/storefronts. For this type of user, MFA is not mandatory to be able to log in to Salesforce. They are exempt from the rule requiring MFA for login.
There are certain Salesforce products that are exempt from the coverage of the mandatory MFA requirement. They are the following:
-MuleSoft Anypoint Platform On-Premises Edition
-On-Premises Tableau Server and Tableau Public
-Tableau platforms such as Tableau Desktop, Tableau Prep, Tableau Content Migration Tool (CMT), and Tableau Resource Monitoring Tool (RMT), unless they are connected to Tableau Online.
Before MFA logins are auto-enabled, it is good for organizations to double-check if they are using any of these exempt products so they can take measures to be able to waive MFA in their respective accounts. Clients can visit Salesforce’s dedicated webpage detailing how to exclude such exempt users.
There are a number of ways that you can activate MFA in your Salesforce platform. The methods are different for direct logins and Single Sign-On (SSO). Let’s take a look below to see how these methods work on these different logins.
Direct logins involve methods such as built-in authenticators, an authenticator app, and security keys. Let's take a look at each of these.
Built-in authenticators are security layers that are organically found in the device where users are trying to access Salesforce. A few examples would be face recognition, fingerprint ID, pattern authentication, and PIN codes. However, this is only allowed on limited Salesforce products such as Heroku, Marketing Cloud, Datorama, and MuleSoft Anypoint Platform. Another limitation is that, in the event that users will be changing devices, they’ll need to activate the built-in authenticator on that device as well as make sure these authenticators are incorporated into the device itself.
The Salesforce Authenticator app is an application that users can download to their mobile devices. They are available both on Android and iOS platforms, and Salesforce provided an easy step-by-step guide on how to activate them. Using the Salesforce Authenticator is the easiest and most convenient way of activating the MFA in the Salesforce platform.
Security keys are physical effects or tokens being used in MFA. They can be a USB, Lightning, or NFC security key. The key needs to be compatible with the standards set forth by FIDO U2F or WebAuthn (FIDO2). Moreover, a security key requires a supported browser as an intermediary. For it to work, users need to input the basic username and password, and once it is done, users will be prompted to plug in the security key to validate the user's identity before he or she may be allowed to log in.
If the user’s organization uses a Single Sign-On, or SSO, it means it utilizes an authentication scheme, which allows a simple single ID to log in to different but interrelated software systems. If this is the case, the organization should take it upon the SSO provider and arrange for the use of their MFA service. However, there are instances where SSO is used in applications generated on the Salesforce platform itself. In such cases, then the organization can utilize the MFA integrated into the platform instead. One might think that having an SSO automatically makes them compliant with Salesforce’s requirement; however, this is not clearly the case as users who log in using SSO are still advised to ensure their compliance with the MFA requirement.
Making sure that your organization’s users are already compliant with the mandatory MFA requirement of Salesforce can seem daunting. We understand your dilemma, and so does Salesforce. This is why they provided an MFA Requirement Checker that can help users discern whether they were able to properly comply with the requirements that they imposed. It breaks down the guide questions for direct login users and SSO login users, and from there, provides some guide questions that will guide the user in diagnosing if they are able to properly comply with the required MFA of Salesforce. If you are unsure, it is best to check the link out or reach out to customer service to avoid being tagged as non-compliant. Remember, this is a contractual obligation, so it is important to ensure that you conform to the requirement.
As long as users are able to comply with the mandatory requirement of implementing an MFA in their login, Salesforce does not require users to submit any form of attestation to that effect, or any other form of certification, for that matter. Clients just have to make sure that they are able to conform to the standards set forth by Salesforce as regards its MFA, which can easily be done via the MFA Requirement Checker. No fret, no additional layer of approval.
The digital world is evolving fast, and cybercriminals are also adapting fast to these changes. The mandatory MFA requirement being implemented by Salesforce is an additional layer of security to ensure that the data in its platform is protected from wrongdoers and their evil intentions. This is Salesforce’s way of showing its commitment to protecting its users’ data and retaining the integrity of its platform.
However, this move comes to naught without the users’ participation. Salesforce’s thrust to protect its users’ data should be met by its users’ commitment to do their part in ensuring that their data remains protected, and this is by complying with the mandatory requirement of putting up an MFA in the product login. While it is true that there will be an auto-enablement of the MFA across all products, it is a prudent move for users to be proactive in taking steps to ensure that their accounts adopt the mandatory MFA requirement being rolled out as soon as possible. More than the fact that it is their contractual obligation to do so, they should appreciate the fact that this security measure is for their own good as well.
In the end, what ultimately benefits from this enterprise is the users and their data; they get the much-needed additional protection and the assurance that the platform they use, Salesforce, had their best interest in mind.