As of February 1, 2022, all Salesforce organizations will be required to add an extra layer of security to user accounts. The Salesforce Multi-Factor Authentication (MFA) provides its users with increased account protection. This additional account protection is designed with the user in mind. It may seem like an extra “unnecessary” step but once the MFA is complete users will have increased protection against common threats such as phishing, account takeovers and credential stuffing i.e., stolen usernames and passwords.

Why should I care about Salesforce MFA?

This new requirement comes as technological exploits continue to rise. The need for best practices has never been greater. Salesforce organizations and clients will be impacted as Salesforce turns this on over the next few months. Direct login clients will see a considerable impact as Salesforce will prompt MFA at every login if not addressed.

Single Sign-On (SSO) clients will see less impact but it’s recommended that best practices should also be adhered to be in line contractually.

How does Multi-Factor Authentication prevent common threats?

MFA is a secure authentication method that requires the Salesforce user to verify their identify by providing two or pieces of evidence or “factors” when logging in to their account. Users without SSO must use at least one of the following to comply with Salesforce’s MFA standards:

• Salesforce Authenticator Mobile App
• Other third-party mobile authentication apps such as Google Authenticator, Microsoft Authenticator or Authy
• Security keys like YubiKey, or Google’s Titan Security Key
• Built-in Authenticators like Touch ID, Face ID, or Windows Hello

Contractually, users without SSO are obligated to use MFA by February 1, 2022.

SSO users will not see any enforcement from Salesforce. However, these users are required to enable MFA for their SSO providers, but no action must be taken to maintain access to the Salesforce product suite. Salesforce has not made any definitive statements about repercussions for being out of compliance with their contracts other than to say, “…We recommend speaking with your legal team to understand the implications of not enabling MFA by the requirement date. ”

What do I do next?

If you are concerned about MFA requirements, it’s best to reach out to your Salesforce Account Executive or implementation partner. Realistically, company leadership should decide the best MFA method for your organization.

If you do not have Salesforce Multi-Factor Authentication enabled for your environment or if you’re uncertain about meeting the full requirements, get in touch. We have the expertise and a dedicated team of professionals to ensure a smooth transition as we navigate the everchanging technology landscape.