Multi-factor Authentication In Salesforce

User credentials are frequently treated insecurely. Employees reuse them repeatedly, and single-factor authentication leaves them to fend for themselves. This process has resulted in billions of dollars being stolen and massive data breaches that take months, sometimes years, to recover.

As a result, implementing a safer, smarter, and user-friendly solution is critical. Multi-factor authentication is one of the simplest and most effective methods for encrypting your data and preventing illegal account access.

What is Multi-factor Authentication??

Multi-factor Authentication (MFA) is an authentication system that validates a user’s identity using two or more distinct procedures rather than just a username and password combination. This verification is frequently accomplished by using an authenticator app’s One-Time Passcode (OTP) or a “push” from the authenticating service.

MFA helps enterprises defend against identity theft, cyberattacks, and data breaches by preventing unauthorized access to apps and sensitive data.

Why is Salesforce requiring MFA?

The global threat landscape is continually changing, and the types of assaults that can cripple a firm and abuse customers are becoming more prevalent. Salesforce recognizes that maintaining the confidentiality, integrity, and availability of each customer’s data is critical to their success, and they take data security seriously.

As a result, Salesforce announced on February 1st, 2022, that MFA would be enabled for accessing Salesforce data with no extra cost. Users will not be locked. Users will able to login for next 6 months but after 6 months MFA will be enforced by Salesforce.

MFA Verification Method In Salesforce

When MFA is enabled for Salesforce products, users should complete a verification method in addition to their username and password during the login process.

Salesforce MFA only supports robust verification methods, ensuring that the user is who they claim to be. Salesforce’s Multi-Factor Authentication (MFA) provides four different robust verification techniques.

1. Salesforce Authenticator App: A Salesforce Authenticator mobile app makes MFA simple for users by incorporating MFA into the login process.

2. Third-party TOTP Authenticator app: Salesforce allows third-party authenticator apps to produce temporary codes using the OATH time-based one-time password (TOTP) algorithm (RFC 6238).

1. Google Authenticator
2. Microsoft authenticator
3. Authy

3. U2F or WebAuthn Security Key: Security keys are small physical devices that are simple to use because they don’t require any installation or entry of codes. This is an excellent solution if consumers don’t have access to a mobile device or if cell phones are prohibited on the premises.

1. Yubico’s YubiKey
2. Google’s Titan Security Key

4. Built-In Authenticators: Built-in authenticators leverage a device’s biometric reader, such as a fingerprint, iris, or facial recognition scanner, to validate a user’s identity. In certain circumstances, built-in authenticators use a PIN or password that the user creates with their device’s operating system to confirm a user.

1. Windows Hello
2. Touch ID
3. Face ID

Let’s look at the advantages and drawbacks of each type of verification method available in Salesforce solutions.

Bases	Salesforce Authenticator App	Third party TOTP Authenticator app	U2F or WebAuthn Security Key	Built-In Authenticators
Description	Users may effortlessly link their Salesforce accounts with this smart and simple mobile app.	Apps use the OATH TOTP method to create unique temporary verification codes.	Public key cryptography is implemented on a physical device.	Confirm identity with a pin or password and a fingerprint, iris, or face recognition scan.
Form Factor	iOS and Android mobile apps	Multiple operating systems have apps available.	Support U2F and WebAuthn standards for USB, Lightning, and NFC devices.	Available via the device’s built-in authentication service (Windows HelloTM, Touch ID®, Face ID®, and so on).
User Experience	Provides users with push * notifications for easy access. Check real-time details to ensure the request is valid. With a single tap, reject fraudulent requests. Automates authentication from known sources. If no connection options are available, TOTP codes are generated.	A wide selection of apps to pick from. No connection is necessary.	Simple & easy to use. Detects and rejects fraudulent requests. No connection is necessary. No need for batteries	Quick and easy to use. There are no app requirements Strong public key cryptography that is unique to the user’s account.
Considerations	Requires a mobile device.	A mobile device is required. Errors can occur when manually entering codes. If your mobile device’s time is out of sync with Salesforce, you may receive invalid codes.	Browser support is required (limited to U2F) The key can be left unattended or set at all times. Overhead for purchasing, storing and distributing gadgets to users.	The FIDO2 WebAuthn standard must be supported by the device, OS, and browser. The built-in authentication service must be activated and configured. Is restricted to a single device. For biometric identification, a supported scanner is necessary.
Cost	Free	Free options and payment options	Starts at approx. $ 20	Starts at approx. $ 25 for biometric devices