Are You Ready to MFA?
The rumblings you hear are true, Salesforce will turn on Multi Factor Authentication (MFA) in all instances starting February 1, 2022. What does this mean and how can I prepare? Let us review the impact and ensure we are all prepared for this security enhancement.
First what is MFA and why now? Cybersecurity is a hot topic right now and not one to be taken lightly. Ensuring access to your Salesforce instance is secure and unwanted parties are not getting access to the data that resides there is why MFA is being turned on. MFA consists of two things, something the user knows (password), and something the user has (authenticator app, security key). This will help protect against common threats such as phishing attacks, credential stuffing, and account takeovers.
What/Who is impacted? Internal Salesforce users who are logging into Sales Cloud, Service Cloud, Marketing Cloud, and Pardot will all be required to have MFA turned on in February. External users who are accessing the Experience Cloud, Chatter External or internal users with Chatter Free licenses will not be required to have MFA enabled.
Now that we know what MFA is, who is impacted, and when it begins. Let us discuss how we can prepare for this:
- Check with your IT/Cybersecurity teams internally. Do you have SSO (Okta, Azure) that is integrated with Salesforce and already has MFA? If this practice is already part of your organization and has been enabled through your SSO application that is integrated with Salesforce, you do not have to turn on Salesforce MFA and can rely on your SSO provider.
- Check with your Salesforce users that 1) They have access to a smartphone and 2) Are willing to install a business application on their phone. If any of your users do not have access to a smartphone or are unwilling to download a business app to their phone you would have to look at alternate methods such as Security Keys that support WebAuthn or U2F such as Yubico’s YubiKey or Googles Titan. Or built-in authenticators such as Touch ID, Face ID, or Windows Hello.
- Plan, Communicate, Test, Document. Communication of these changes is key to ensuring your users are not interrupted, so develop a plan with IT/Cybersecurity and communicate that to all users. MFA can be applied through a permission set so starting sooner than later with a subset of users and continually adding more allows you time to prepare and generate an internal FAQ document prior to February. Whether this will be done via SSO or Salesforce testing, communication, and documenting feedback will ensure a successful rollout.
This is a substantial change for all Salesforce users and administrators who manage orgs, especially ones that support global users as MFA is going live in all regions. Collaboration with your IT/Cybersecurity departments will be huge in this transition so ensure you have a plan and follow some of the steps above. Salesforce also has a growing document that is continually updated so be sure to check it out, along with the MFA Assistant in your own instance.