Contact Us menu-bars menu-close

Multi-factor Authentication In Salesforce


Pritam Dalvi

May 13, 2022

User credentials are frequently treated insecurely. Employees reuse them repeatedly, and single-factor authentication leaves them to fend for themselves. This process has resulted in billions of dollars being stolen and massive data breaches that take months, sometimes years, to recover.

As a result, implementing a safer, smarter, and user-friendly solution is critical. Multi-factor authentication is one of the simplest and most effective methods for encrypting your data and preventing illegal account access.

What is Multi-factor Authentication??

Multi-factor Authentication (MFA) is an authentication system that validates a user’s identity using two or more distinct procedures rather than just a username and password combination. This verification is frequently accomplished by using an authenticator app’s One-Time Passcode (OTP) or a “push” from the authenticating service.

MFA helps enterprises defend against identity theft, cyberattacks, and data breaches by preventing unauthorized access to apps and sensitive data.

Why is Salesforce requiring MFA?

The global threat landscape is continually changing, and the types of assaults that can cripple a firm and abuse customers are becoming more prevalent. Salesforce recognizes that maintaining the confidentiality, integrity, and availability of each customer’s data is critical to their success, and they take data security seriously.

As a result, Salesforce announced on February 1st, 2022, that MFA would be enabled for accessing Salesforce data with no extra cost. Users will not be locked. Users will able to login for next 6 months but after 6 months MFA will be enforced by Salesforce.

MFA Verification Method In Salesforce

When MFA is enabled for Salesforce products, users should complete a verification method in addition to their username and password during the login process.

Salesforce MFA only supports robust verification methods, ensuring that the user is who they claim to be. Salesforce’s Multi-Factor Authentication (MFA) provides four different robust verification techniques.

1. Salesforce Authenticator App: A Salesforce Authenticator mobile app makes MFA simple for users by incorporating MFA into the login process.

2. Third-party TOTP Authenticator app: Salesforce allows third-party authenticator apps to produce temporary codes using the OATH time-based one-time password (TOTP) algorithm (RFC 6238).

  1. Google Authenticator
  2. Microsoft authenticator
  3. Authy

3. U2F or WebAuthn Security Key: Security keys are small physical devices that are simple to use because they don’t require any installation or entry of codes. This is an excellent solution if consumers don’t have access to a mobile device or if cell phones are prohibited on the premises.

  1. Yubico’s YubiKey
  2. Google’s Titan Security Key

4. Built-In Authenticators: Built-in authenticators leverage a device’s biometric reader, such as a fingerprint, iris, or facial recognition scanner, to validate a user’s identity. In certain circumstances, built-in authenticators use a PIN or password that the user creates with their device’s operating system to confirm a user.

  1. Windows Hello
  2. Touch ID
  3. Face ID

Let’s look at the advantages and drawbacks of each type of verification method available in Salesforce solutions.

BasesSalesforce Authenticator AppThird party TOTP Authenticator appU2F or WebAuthn Security KeyBuilt-In Authenticators
DescriptionUsers may effortlessly link their Salesforce accounts with this smart and simple mobile app.Apps use the OATH TOTP method to create unique temporary verification codes.Public key cryptography is implemented on a physical device.Confirm identity with a pin or password and a fingerprint, iris, or face recognition scan.
Form FactoriOS and Android mobile appsMultiple operating systems have apps available.Support U2F and WebAuthn standards for USB, Lightning, and NFC devices.Available via the device’s built-in authentication service (Windows HelloTM, Touch ID®, Face ID®, and so on).
User Experience
  • Provides users with push * notifications for easy access.
  • Check real-time details to ensure the request is valid.
  • With a single tap, reject fraudulent requests.
  • Automates authentication from known sources.
  • If no connection options are available, TOTP codes are generated.
  • A wide selection of apps to pick from.
  • No connection is necessary.
  • Simple & easy to use.
  • Detects and rejects fraudulent requests.
  • No connection is necessary.
  • No need for batteries
  • Quick and easy to use.
  • There are no app requirements
  • Strong public key cryptography that is unique to the user’s account.
  • Requires a mobile device.
  • A mobile device is required.
  • Errors can occur when manually entering codes.
  • If your mobile device’s time is out of sync with Salesforce, you may receive invalid codes.
  • Browser support is required (limited to U2F)
  • The key can be left unattended or set at all times.
  • Overhead for purchasing, storing and distributing gadgets to users.
  • The FIDO2 WebAuthn standard must be supported by the device, OS, and browser.
  • The built-in authentication service must be activated and configured.
  • Is restricted to a single device.
  • For biometric identification, a supported scanner is necessary.
CostFreeFree options and payment optionsStarts at approx. $ 20Starts at approx. $ 25 for biometric devices

Get updates. Sign up for our newsletter.


Let's explore how we can create WOW for you!