From 1 February 2022, Salesforce is going to make multifactor authentication mandatory to access the application. In this article, we answer the most frequently asked questions so that you are well prepared for this important change.
Why does Salesforce choose multifactor authentication?
As the number of digital threats increases, so does the focus on security. And that is a good thing!
A first step in security is preventing unauthorised access to IT systems. Using only a username and password is actually no longer possible anno 2021. Passwords are too often shared, 'leaked' or easily guessed by powerful computers. That is why Salesforce is going to make multifactor authentication mandatory from 1 February 2022. That means you have to identify yourself in at least two ways before you are logged in. For example, think of entering a password as well as a code from an authentication app on your mobile phone.
What does multifactor authentication mean?
This means proving in more than one way that you are really the one trying to log in. A password is the first 'factor' (something you knows), a numerical code via your mobile phone is a second 'factor' (something you has). This is also known as two-step verification.
As a Salesforce customer, am I required to use multifactor authentication?
Salesforce is going to enforce this from 1 February 2022. So yes. It would be wise to activate and communicate this to users before 1 February 2022. Activation can be done incrementally if desired, for example by profile.
Are there any alternatives?
You could use Single Sign On. That means that with a valid login to Microsoft or Google, you can also immediately access Salesforce without being asked for an additional login. Single Sign On can be set up fairly quickly by a Salesforce administrator in consultation with the administrator of the Microsoft or Google environment. Make sure that logging in to this environment is also really secure by setting up multi-factor authentication there too, otherwise the backdoor will still be open!
Does multifactor authentication apply to all Salesforce accounts?
No, this only applies to users who want to work in the Salesforce application via a browser. Accounts used for an integration (e.g. with website or financial system) are excluded. It also excludes users of a community (Experience Cloud).
What ways for authentication are there?
Salesforce offers three options for the additional authentication:
- The Salesforce Authenticator App
- Another Authenticator app (from Google or Microsoft)
- A physical USB security key (e.g. the Titan Security Key)
Sending codes via text or email is not considered secure enough by Salesforce.
What does g-company recommend as the best method for authentication?
g-company recommends using the Google or Microsoft Authenticator app. The reason is that authentication is then possible from multiple devices. This is especially useful when a login account such as 'office manager' is used by more than one person. With the Salesforce Authenticator app, an account can only be linked to one device for authentication.
How do I enable authentication via multiple devices?
Once multifactor authentication is active, the first login attempt will ask for an authentication method. Then choose either the Google or Microsoft Authenticator app. Take a screenshot of the QR code that appears, paste it into a document and share the file only with the person who is also allowed to log in with the account in question. Once that person wants to log in, he/she can scan this QR code via an Authenticator app.
What if my users don't have a smartphone?
In that case, you would have to provide a smartphone or USB security key.
What if users forgot their phone or security key?
In that case, they should contact the application administrator, who can provide a temporary access code.
What if the administrator cannot be reached?
g-company recommends appointing at least two administrators. Besides an internal administrator, this could be g-company's support department, which is always available during office hours. If one administrator cannot get into Salesforce, the other can still step in. In extreme cases, Salesforce support can be contacted to gain access.
What if a phone is lost?
In that case, the administrator can reset the authentication method so that you can log into Salesforce via a different device.
How am I going to start with this?
Salesforce has published extensive documentation, such as this compact manual and this video. The application manager can pick this up himself, or contact g-company for advice and implementation.
From February 1st, 2022, Salesforce will enforce multi-factor authentication to access the Salesforce application. In this article, we provide an answer to the most asked questions to make sure you are well prepared for this important change.
Â
Why does Salesforce opt for multi-factor authentication?
With an increasing number of digital threats, the attention for security increases. Which is a good thing! A first step in the augmentation of security is preventing unauthorised access to IT systems.
In 2021, using just a username and password is not very secure anymore; passwords are shared too often, 'leaked' or simply 'guessed' by powerful computers. This is why Salesforce will enforce all its users to utilize multi-factor authentication from February 1st, 2022 onwards, which means you are required to identify yourself in two ways when signing in. This could be by using a password ánd a code using the authentication app on your mobile device.
Â
What does multi-factor authentication mean?
This means that you show that you are really the person who is trying to sign in. A password is the first 'factor' (something you know), a digit code on your mobile phone is a second 'factor' (something you have). This is also referred to as 'two-step authentication'.Â
Â
As a Salesforce customer, is it mandatory to start using multi-factor authentication?
Yes. You will be required to use this from February 1st, 2022. It is smart to anticipate on this in advance, and communicate with your users. Activation can also happen gradually, for instance per profile.
Â
Are there alternatives?
You could make use of Single Sign On, which means you could log in using Google or Microsoft. This is done quite easily by the Salesforce and Google or Microsoft Administrators. Please make sure that signing in to either Google or Microsoft is secure as well, otherwise your backdoor is still open to cyber criminals!
Â
Does multi-factor authentication apply to all Salesforce accounts?
No, MFA only applies to users that make use of the Salesforce application from their browsers. Accounts that are used for integration purposes (e.g. a website or financial system) are exempted, just like users of a community (Experience Cloud).
Â
What ways of multi-factor authentication are available?
Salesforce offers three possibilities for multi-factor authentication:
- The Salesforce Authenticator App
- Other Authenticator apps (like Google or Microsoft)
- A physical USB security key (like the Titan Security Key)
Salesforce deems codes via email or text messages unsafe.
Â
What way of multi-factor authentication does g-company recommend?
g-company recommends using another authenticator app, so either Google or Microsoft. Using these services, authentication is possible from multiple devices. This is mostly useful when a login account like 'office manager' is used by multiple people at the same time. On the contrary, using the Salesforce Authenticator app means that only one account can be connected with a single device for verification.
Â
How do I enable authentication on multiple devices?
From the moment multi-factor authentication is enabled, you will be asked for an authentication method at the first login attempt. Choose for the Google or Microsoft Authenticator app. Make a screenshot of the QR code that appears, paste this in a document and share the file with the people that are allowed to sign in on this account. When this person tries to log in, he/she can use an authenticator app to scan the QR code.
Â
What if my users do not have a smartphone?
In this case you should provide a smartphone or a USB security key.Â
Â
What if users forget their smartphone or security key?
In this case they should reach out to the administrator, that can provide a temporary code to sign in without a smartphone or security key.
Â
What if an admin cannot be reached?
g-company recommends to have at least two admins. Besides an internal administrator, this could be the support department of g-company, which can be reached during office hours. Hence, if one administrator cannot access Salesforce, there is always a backup admin plan. In case of emergency, you can always reach out to Salesforce support to get access.
Â
What if a phone is lost?
In this case an admin can reset the authentication method, so you can use another device to sign in to Salesforce.
Â
How do I get started?
Salesforce published extended documentation regarding this matter, like this compact manual and this video. The application administrator can implement MFA by him/herself, but it is also possible to reach out to g-company for advice and implementation.
