The Multi-factor Authentication (MFA) requirement for Salesforce is meant to add a layer of security and increase protection against unauthorized account access. Starting February 1st, 2022, Salesforce will require customers and users to utilize MFA to access Salesforce products. Customers do have the option to use an MFA solution provided by Salesforce or use a supported third-party MFA solution. This requirement is a response to the growing concern of cyberattacks, and passwords no longer providing enough security to prevent them.
Because Salesforce can host large volumes of sensitive customer and user data, it’s important that it remains confidential, integral, and available to those who are allowed to see it. SalesForce is also considered a critical system to many businesses, that without access to it, it can stop sales, IT support, and other operations of the business. Day by day, global threats are constantly evolving, and these newer cyberattacks, such as ransomware, can easily compromise data and heavily damage an organization’s ability to operate, brand, and reputation.
MFA is an authentication solution that requires users to login using two or more methods, making it more difficult for a hacker to steal or compromise all credentials required to gain access. Authentication methods for MFA fall under 3 categories: something you know, something you have, and something you are. A common MFA combination is a password and a One-time Password (OTP) sent to the user's mobile phone, but there are more secure and convenient methods, such as biometrics, which are growing in popularity.
As per the Salesforce Trust and Compliance documentation, all Salesforce customers are contractually required to use MFA when accessing Salesforce products beginning February 1st, 2022. For each of the products that are included in the requirement, Salesforce has provided an MFA Enforcement Roadmap with dates for when MFA will be auto-enabled for each product, giving admins the option to still disable MFA if their users aren't ready to use it, and for when MFA will be enforced.
Once the enforcement deadline hits, Salesforce will enforce MFA by making it a permanent part of the login process, removing the option for admins to disable the MFA requirement. This will be a gradual process starting with customers and users who login directly to Salesforce.
Read more about the MFA Enforcement Roadmap from Salesforce.
For the MFA requirement, not all users, logins, and environments are affected. While for the most part, all Salesforce users that directly login to Salesforce are required to use MFA, this doesn’t account for all users that indirectly use Salesforce.
For example, users that have a standard user license and can access the Salesforce UI (like admins, developers, privileged and standard users, and partners) are required to use MFA. However, users who don’t have a full license or limited access to Salesforce aren’t required to use MFA for their login.
Additionally, different login types may or may not be affected by the Salesforce requirement. According to Salesforce, any login to the Salesforce interface must have MFA for their login, but integration logins don’t.
Before the MFA requirement takes effect, you can enable MFA for the following Salesforce products:
It is important to plan ahead as much as possible with MFA, making sure you understand your users' workflows and the authentication methods that would work the best for them. Often times this will require multiple types of authentication methods to achieve full user adoption.
MFA continues to be a leading way to defend against the increasing number of cyber threats. By Salesforce requiring MFA, it further validates the need for organizations to have better cybersecurity controls to protect their critical systems and data before it’s too late.
If you have questions about Multi-factor Authentication, you can learn more about it in this eBook which takes a deeper look into MFA and the perspectives and opinions of IT professionals as they work to adopt it.