Login policies and MFA – User Management and Security

In the previous section, we discovered how to secure the data internally so that the proper user who has already access to your org could see the proper data and not more than they should. Now, let’s see how to secure access to the org itself. In this section, we will handle the security topics related to Salesforce user’s MFA. This topic is very important, and each company should be aware of it. As Stéphane Nappo, Cisco Security Officer, once said: “It takes 20 years to build a reputation and a few minutes of cyber incident to ruin it.” Let’s now see how Salesforce creates a secure org environment using MFA.

MFA stands as a straightforward yet highly efficient method to fortify login security, offering robust protection for your business and data against potential security threats. MFA involves a process necessitating users to confirm their identity through two or more verification steps before gaining access to their Salesforce account. Several methods can be used to secure your org. Let’s list and further explain them in detail:

• Salesforce authentication app: The easiest, most convenient, and cost-free among all the MFA options in Salesforce. It’s a Salesforce native mobile app for iOS and Android that will be used by your users to be able to log in to your org.
• Third-party authentication app: Third-party authenticator applications capable of generating time-based one-time password (TOTP) codes. Works similarly to the Salesforce authentication app but it’s not a Salesforce product. Among the popular options, we can list Google Authenticator™ and Authy™.
• Security keys: These can be physical devices that use some public-key cryptography. I know that it looks a bit old-school, but some companies are using this kind of physical key, and Salesforce gives you the option to use it too.
• Built-in authenticators: Verify identity with a fingerprint, iris, or facial recognition scan, or a PIN or password.

As you can see, the Salesforce native app is the most recommended option when implementing MFA in Salesforce. Of course, other options are also valid but are often related to additional costs, and their implementation is more complicated and time-consuming.

Now that we know which authentication option we have, let’s see what the MFA implementation options in Salesforce are.

Starting from February 1, 2022, applications developed on the Salesforce platform mandate MFA for user access to your org’s user interface. You have the option to enable MFA universally for all users at once or implement it gradually in phases for specific user groups who log in directly using a username and password. Possible implementation options are the following:

• Enable MFA for your entire org – You have the option to activate MFA organization-wide using a single configuration. Once enabled, every internal user accessing their accounts with their username and password will be required to provide a secondary verification method.
• Enable MFA for specific users – You have the flexibility to begin implementing MFA by initiating a pilot program or gradually introducing it to your users through phased rollouts using the MFA user permission. Once MFA is activated, users logging in to your organization directly with their username and password will be required to present a secondary verification method.
• Exclude exempt users from MFA – certain scenarios are exempt from the mandatory MFA requirement. As Salesforce implements and enforces MFA in the future, many of these scenarios will be automatically excluded. However, there are a few cases where customers need to exempt themselves. If any of these situations are relevant to your environment, utilize the Waive Multi-Factor Authentication for Exempt Users user permission prior to the activation of MFA for your organization, either by your own initiative or by Salesforce in future updates. Avoid assigning this permission to any internal users accessing your Salesforce org’s UI, which encompasses admins, privileged users, standard users, developers, as well as users authorized to represent your company, such as partners and third-party agencies.

Controlling logins and setting up MFA is one of the most crucial tasks for a Salesforce administrator. In the age of cybercrimes, you need to function as a cyber guardian to safeguard your data and users from potential internet threats. Now that you’re aware of the Salesforce features that can enhance your org’s safety, we also recommend further studying these topics in Salesforce Trailheads. As software is a living organism, staying updated with Salesforce’s best practices is essential to remain informed about any new features that can enhance or alter organizational safety.