Earlier this year Salesforce announced that on February 1, 2022 customers will be required to enable multi-factor authentication (MFA) to access Salesforce products. So what actions do you need to take? And why is Salesforce requiring this change?
What You Need to Do
The good news is that if you have Salesforce configured to use Single Sign-On (SSO) through an Identity Provider (IdP) like OneLogin AND you require users to use MFA to log into OneLogin, then you don’t need to do anything! You have already fulfilled the requirement to provide more than one authentication factor when your users log into Salesforce.
If you do not already have SSO enabled for your Salesforce organization with MFA required for the IdP, you have 2 options:
- Enable MFA in Salesforce
If you want your users to log directly into Salesforce through the Salesforce user interface, you will need to enable MFA within Salesforce. Salesforce is working on providing MFA functionality for all of its products. Enabling MFA within Salesforce products will not cost you any more money, and Salesforce has its own authenticator app you can use free of charge.
- Enable MFA in your SSO Provider
If you have Salesforce configured for SSO with an external IdP, such as OneLogin, you simply need to make sure that MFA is enabled for the IdP. Keep in mind that Salesforce admin accounts need to have the ability to log in directly to Salesforce so it would still be best practice for you to require MFA for those administrator accounts within Salesforce to cover the times when they need to log directly in.
Make sure you provide your users with appropriate training and documentation before you require MFA for them to log in. You do not want to interrupt their access to Salesforce by enabling a feature that they are not familiar with and prevent them from logging into Salesforce successfully, hurting user productivity and business enablement.
Why is Salesforce requiring this?
Every week, there is a new report of yet another organization’s systems being breached by hackers. Hospitals, utilities, government agencies, consumer businesses: everyone can be a potential target. Many of these breaches could have been prevented if users were required to provide more than just a username and password in order to authenticate. In fact, the recent breach of Colonial Pipeline has been traced back to one compromised password that enabled the ransomware hackers to access their internal systems and demand a ransom to recover the files. If the hackers had been forced to provide one additional factor such as a fingerprint, or a single-use code, also known as a one time password (OTP), they would have been prevented from gaining access to Colonial Pipeline’s systems. The ransomware attack would likely have not occurred. Fuel supplies to the east coast of the United States would not have been interrupted.
Salesforce products often contain user and customer information for an entire organization. By requiring that users provide MFA to access sensitive data, Salesforce’s new MFA mandate is simply helping you protect yourself and your organization from potential breaches. Enabling MFA wherever possible is one of the best ways to prevent breaches. Hopefully, you already have MFA required and do not need to worry about the February 1, 2022 deadline. If you don’t already have MFA required for your users when they log in to Salesforce or any other system, you should start planning on how to do this as soon as possible. Using an SSO provider like OneLogin to control those logins and configure MFA requirements through a centralized system is one of the easiest ways to protect all of your systems. Don’t wait until February 1, 2022. The time for MFA is now.