MFA Salesforce security will affect all users. Are you ready?

Most people who have online accounts of any kind are familiar with Multi-Factor Authentication (MFA) to access those accounts. Beginning February 22, 2022, all Salesforce Users will be required to follow those same steps to access their Salesforce account.

In a world where everyone has a powerful computer on their person at all times in the form of a phone, chances are this requirement will have a minimal impact on their company’s Salesforce users and the requirement will just give them one more layer of protection for company data. But nobody wants to be caught off guard by a new requirement that prevents their workforce from logging in. Change is hard. Being prepared for change makes it easier.

‍

Frequently Asked Questions about the MFA Requirement

Q: How will the MFA requirement be enforced?

A: Beginning February 22, 2022, all Salesforce customers are contractually required to use Multi-Factor Authentication (MFA) in order to access Salesforce products. Salesforce will start automatically enabling MFA for users who log in directly to Salesforce products. Admins will still have the option to disable MFA if their users aren't ready yet. After the requirement deadline, Salesforce will gradually start enforcing MFA by making it a permanent part of the direct login process and removing controls for admins to disable it. Auto-enablement and enforcement dates will vary by product. So the best advice is to make necessary preparations now.

Q: What if my company already has a Multi-Factor Authentication SSO system in place?

A: Users who access Salesforce products through SSO (excluding ClickSoftware products) won’t be affected by auto-enablement and enforcement actions. But remember that MFA is contractually required for all Salesforce users who authenticate via SSO.

Becoming compliant with the new MFA requirement shouldn’t be difficult for most companies. It never hurts to make sure your company won’t be impacted by the requirement. Use the following checklist to verify that you are ready:

‍
MFA Requirement Checklist:

1. How do your users currently log into Salesforce?

A. By logging into an SSO Site like Okta, OneLogin, Keeper, etc. (see question 2)

B. By logging in directly to Salesforce.com (jump to question 3)

Note: If your users are allowed to access Salesforce products through SSO as well as by logging in directly, we recommend changing your configuration so users can't bypass your SSO system. Otherwise, you need to enable MFA for both SSO and direct logins.

‍

2. Do your Salesforce users login to an SSO site by entering a username and password, followed by a strong verification method? (ex: Salesforce Authenticator App, Third Party Authentication Apps, Security Keys, Built-In Authentication like a fingerprint, face recognition, etc)

Yes - Sweet! Based on your answers, you satisfy the MFA requirement because you're using SSO and MFA with strong verification methods to access Salesforce products.

‍

Note: If your users aren't prompted for a verification method on every login because you've implemented a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system, your implementation satisfies the MFA requirement. Gold star right in the middle of your forehead!! You are ready!

‍

No - Your Salesforce users must receive an MFA challenge when they login to your SSO site and they must verify their identity with a strong verification method. One-time passcodes via email, text messages and voice calls aren't acceptable. To satisfy the MFA requirement:

1. Talk to your SSO provider about using their MFA service.
2. Integrate a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system with your SSO solution.
3. For products built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

Note: If you're using trusted corporate devices with certificates or trusted networks for SSO access, go to Question 4.

‍

3. Do your users log in directly to the user interface for your Salesforce products by entering a username and password, followed by a supported verification method that they must provide on every login?

Yes - Excellent! Based on your answers, you satisfy the MFA requirement because you're using Salesforce MFA for every login. You can skip the remaining questions.

No- If a supported verification method is required only when users log in from new browsers or devices, you're using Device Activation or Identity Verification instead of MFA, that's good, but it doesn't satisfy the MFA requirement and you have a little more work to do.

1. You need to turn on MFA for your Salesforce products.
2. If users are never prompted for a verification method after they enter their username and password, you need to turn on MFA for your Salesforce products.
3. Note: If your Salesforce product doesn't prompt users for a verification method because you're controlling direct logins using trusted devices with certificates or trusted networks via IP allow lists, trusted IP ranges, or login IP ranges, go to Question 4.

‍

4. Are you using trusted corporate devices or trusted networks to grant access to Salesforce products?

Yes - When corporate devices with certificates or corporate (trusted) networks are used on their own, they don't satisfy the MFA requirement.

1. If you use either of these mechanisms to control SSO access or direct Salesforce logins, you should turn on MFA for your SSO identity provider or your Salesforce products. But if that's not feasible, using trusted devices with certificates in combination with a trusted corporate network can be an acceptable alternative to traditional MFA and satisfy the MFA requirement.
2. See "Do trusted corporate devices meet the MFA requirement" and "Does restricting logins to trusted networks meet the MFA requirement" in the MFA FAQ for more details.

No - Well my friend, you are officially in what we call a pickle and we’d love to help you figure it out. Let us know if you’d like a free, no-obligation consultation from one of our architects.

‍

5. Do you have Salesforce users who are sharing licenses to access Salesforce?

Note: we are not Salesforce and we are not here to trip you up or get you in trouble with Salesforce. But we can help you move forward if you are sharing licenses.
‍

Yes - MFA can get tricky and cumbersome if licenses are being shared. Set up a free, no-obligation consultation to discuss some options to become MFA compliant.
‍

No - Look at you, you rule-follower you! We’ll bet you’ve never tried to get out of jury duty either. Keep making us all proud!

‍

What should you do after completing this checklist?

• If you and your company are compliant you don’t need to do anything. You can simply have your Salesforce Administrator or Salesforce Support Provider enable MFA on February 22, 2022.
• If you don’t have a Salesforce Administrator or Salesforce Support Provider, schedule a free, no-obligation consultation with one of our Salesforce Administrators and we’d be happy to help you enable MFA
• If after using this checklist you know you or your company have some work to do to be ready for MFA enablement and you aren’t sure where to start, schedule a free, no-obligation consultation with one of our Salesforce Administrators and we’d be happy to help.
• If you are going to be unable to meet the MFA contractual requirements by February 22, 2022, what should you do?
• At SaltClick, we understand that every company faces a unique set of challenges and we would be happy to conduct a free, confidential consultation to help you roadmap a path to Salesforce MFA compliance.
• For all other questions regarding the February 22, 2022, MFA deadline please visit the Salesforce MFA FAQ Page.

Have questions? Get in touch with us.