Salesforce Multi-Factor Authentication (MFA) is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. One factor is something the user knows, such as their username and password. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key. By tying user access to multiple types of factors, MFA makes it much harder for common threats like phishing attacks and account takeovers to succeed.
As Salesforce announced that beginning February 1, 2022, Salesforce will begin requiring customers to enable MFA in order to access Salesforce products. MFA is available at no extra cost.
So today we will check how you can quickly setup Salesforce Multi-Factor Authentication in your org
Salesforce Multi-Factor Authentication Available Methods
We can choose any or all of these verifications:
| Salesforce Authenticator | A free mobile app that integrates seamlessly into your login process. Users can quickly verify their identity via push notifications. We’ll talk more about this app in a bit. |
| Third-party TOTP authenticator apps | Apps that generate unique, temporary verification codes that users type in when prompted. This code is sometimes called a time-based one-time password, or TOTP for short. Users can pick from a wide variety of options, including Google Authenticator, Microsoft Authenticator, or Authy. |
| Security keys | Small physical tokens that look like a thumb drive. Logging in with this option is fast and easy — users simply connect the key to their computer then press the key’s button to verify their identity. Users can use any key that’s compatible with the FIDO Universal Second Factor (U2F) standard, such as Yubico’s YubiKey or Google’s Titan Security Key. |
Salesforce has also created Multi-Factor Authentication Assistant. In Which Salesforce provided a checklist for each steps which anyone can follow to setup MFA.
1. Set the session security level for multi-factor authentication
Firstly, go to Session Setting and make sure that Multi-Factor Authentication is in the High Assurance category. You will notice we have multiple options there we will discuss them later.
2. Create a permission set for multi-factor authentication
Secondly, create new Permission set. And you can name it “MFA Authorization for User”. So go to System Permission section and select the permission Multi-Factor Authentication for User Interface Logins. Click save and confirm the changes.
3. Assign Permission Set to Users
Now we need to assign this permission set to users. During testing purpose you can assign it to your users.
4. Setup the Salesforce Authenticator App
- PHONE: Firstly download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
- Tap the app icon to open Salesforce Authenticator.
- DESKTOP: Use your username and password to log in.
- DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to your account.
- PHONE: Page through the tour to learn how Salesforce Authenticator works.
- PHONE: Enter your mobile number to create a backup of the accounts that are connected to Salesforce Authenticator. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now.
- Tap the arrow to add your account to Salesforce Authenticator. The app displays a two-word phrase.
- DESKTOP: Enter the phrase in the Two-Word Phrase field.
- DESKTOP: Click Connect.
- PHONE: Salesforce Authenticator shows details about your account.
- PHONE: Tap Connect.
- DESKTOP: you are logged in to her Salesforce account.
5. Post Installation Steps
Finally you are ready with Salesforce MFA. In Setup Search for Identity Verification History. There you will get details of everyone who is using the Salesforce MFA.
What if User accidently lost his device and without tjat they won’t be able to accesa Salesforce. Then as an Admin you need to go to their user detail screen and click Disconnect next to App Registration: Salesforce Authenticator. If you want to permanently remove MFA just remove the permission set for the user.
So Multi-Factor Authentication is great way to increase security of your Salesforce org. You can check FAQ here. Did you like the post, let me know in comments. Happy Programming 🙂
Good post but I think its very important to understand the easy part is the tech solution. The harder part is the impact to users and the process behind supporting them. For example if someone forgets their phone and needs to login what do they do? You can provide one time passwords to get users logged in but whats the process around that? If anyone can ring support and ask for a one time password without any validation on who they are it defeats the whole point of MFA.
Yes its secure but manual error can defeat the purpose.
Great post. I’m curious about our guest api users. Can we just do this for the guest user? “…go to their user detail screen and click Disconnect next to App Registration.”
Guest user don’t have login. So you can’t setup MFA for them.
could you please share what are the other alternative options for adding security for external users login outside of native MFA option?
You can use security keys or third party authenticator apps
What is the difference between Session Security Level high assurance and MFA for UI logins flag on profile or permission sets? I am unable to access VF page contents in mobile devices when High assurance is selected at profile. In response getting this page from from salesforce instead of JSON https://salesforce.stackexchange.com/questions/332156/redirect-issue-post-mfa