From February 1st, 2022, Salesforce will enforce multi-factor authentication to access the Salesforce application. In this article, we provide an answer to the most asked questions to make sure you are well prepared for this important change.
Why does Salesforce opt for multi-factor authentication?
With an increasing number of digital threats, the attention for security increases. Which is a good thing! A first step in the augmentation of security is preventing unauthorized access to IT systems.
In 2021, using just a username and password is not very secure anymore; passwords are shared too often, ‘leaked’ or simply ‘guessed’ by powerful computers. This is why Salesforce will enforce all its users to utilize multi-factor authentication from February 1st, 2022 onwards, which means you are required to identify yourself in two ways when signing in. This could be by using a password ánd a code using the authentication app on your mobile device.
What does multi-factor authentication mean?
This means that you show that you are really the person who is trying to sign in. A password is the first ‘factor’ (something you know), a digit code on your mobile phone is a second ‘factor’ (something you have). This is also referred to as ’two-step authentication’.
As a Salesforce customer, is it mandatory to start using multi-factor authentication?
Yes. You will be required to use this from February 1st, 2022. It is smart to anticipate on this in advance, and communicate with your users. Activation can also happen gradually, for instance per profile.
Are there alternatives?
You could make use of Single Sign On, which means you could log in using Google or Microsoft. This is done quite easily by the Salesforce and Google or Microsoft Administrators. Please make sure that signing in to either Google or Microsoft is secure as well, otherwise your backdoor is still open to cyber criminals!
Does multi-factor authentication apply to all Salesforce accounts?
No, MFA only applies to users that make use of the Salesforce application from their browsers. Accounts that are used for integration purposes (e.g. a website or financial system) are exempted, just like users of a community (Experience Cloud).
What ways of multi-factor authentication are available?
Salesforce offers three possibilities for multi-factor authentication:
- The Salesforce Authenticator App
- Other Authenticator apps (like Google or Microsoft)
- A physical USB security key (like the Titan Security Key)
Salesforce deems codes via email or text messages unsafe.
What way of multi-factor authentication does g-company recommend?
g-company recommends using another authenticator app, so either Google or Microsoft. Using these services, authentication is possible from multiple devices. This is mostly useful when a login account like ‘office manager’ is used by multiple people at the same time. On the contrary, using the Salesforce Authenticator app means that only one account can be connected with a single device for verification.
How do I enable authentication on multiple devices?
From the moment multi-factor authentication is enabled, you will be asked for an authentication method at the first login attempt. Choose for the Google or Microsoft Authenticator app. Make a screenshot of the QR code that appears, paste this in a document and share the file with the people that are allowed to sign in on this account. When this person tries to log in, he/she can use an authenticator app to scan the QR code.
What if my users do not have a smartphone?
In this case you should provide a smartphone or a USB security key.
What if users forget their smartphone or security key?
In this case they should reach out to the administrator, that can provide a temporary code to sign in without a smartphone or security key.
What if an admin cannot be reached?
g-company recommends to have at least two admins. Besides an internal administrator, this could be the support department of g-company, which can be reached during office hours. Hence, if one administrator cannot access Salesforce, there is always a backup admin plan. In case of emergency, you can always reach out to Salesforce support to get access.
What if a phone is lost?
In this case an admin can reset the authentication method, so you can use another device to sign in to Salesforce.
How do I get started?
Salesforce published extended documentation regarding this matter, like this compact manual and this video. The application administrator can implement MFA by him/herself, but it is also possible to reach out to g-company for advice and implementation.