Multi-Factor Authentication In Salesforce

Author: Vishal Lala

During this online era and where most of us are working from home, raising security concerns is one of the major deals. The more the user stays active/online, the more the chances of security decryption increase. To solve it, Salesforce has mandated users to enable Multi-Factor Authentication from 1st February 2022.

What does Authentication mean?

Authentication refers to giving someone identity to access the system.

Users can authenticate through multiple ways. Some of the common ways are:

  • Password-Based Authentication. (eg: Username and Password)
  • Token-Based Authentication. (eg: One-Time Password)
  • Certificate-Based Authentication.
  • Biometrics.

Once you are logged in to the system, you need Authorization to access the resources.

What is a Multi-Factor Authentication?

Multi-Factor Authentication is a concept of adding an additional layer of security while you are logging into the system. Multi-Factor authentication decreases the risk of getting into your system by Brute-Forcing using wordlist for password dictionary, Hash Decryption, Phishing Attacks, etc.

Factors are:

  • Something you know i.e., USERNAME and PASSWORD.
  • Something you have i.e, Phone: Authentication Apps or Security Key Device: Yubico Key.

One of the commonly used MFA tools is Google Authenticator.

Salesforce has also come up with its authenticator app: Salesforce Authenticator.

Key Features of different Authenticator Apps:
Google Authenticator:
  • Uses the T-OTP (Time-Based OTP) algorithm for verification.
  • Available for multiple Operating Systems.
  • Doesn’t require connectivity to authenticate.
Salesforce Authenticator:
  • Uses Passcode to connect accounts for the first time and pushes Approve/Deny notifications for verification.
  • Available for Android and iOS only.
  • Generates TOTP codes if connectivity isn’t available.
  • Automates authentication from trusted IP’s.
User Types that support MFA:
  • Internal users

An internal user is anyone who has a standard user license and can access your Salesforce org’s UI, including admins, developers, privileged users, standard users, and users authorized to act on your company’s behalf, such as partners and third-party agencies.

  • Chatter Only (Chatter Plus) users.
User Types that don’t support MFA:
  • External users

An external user is anyone who has a Community, Employee Community, or External Identity license and can only access your company’s Experience Cloud sites, e-commerce sites or storefronts, help portals, or employee communities.

  • Chatter External, Chatter Free users.
Ways to Login into the System.
  • Using Username and Password.
  • Using SSO(Single Sign-On).
What is SSO?

Single Sign-On is an authentication method of login into multiple systems using a link or just by a simple click of a button in your App.

Key-Terms used when you come across SSO:

  • Service Provider: The service or system you want to access while you click the link.
  • Identity Provider: The system or app from where you click the button to get redirected to your service provider.
Steps to Enable MFA in Salesforce.
  1. Go to Setup.
  2. In the Quick Find, search Permission Sets and click it.
  3. Create a new Permission Set by clicking the New button. Give it a name and Save it.
  1. Go to the newly created permission set and under the System section, click System Permissions.
  2. Click Edit and check the checkbox named “Manage Multi-Factor Authentication in User Interface”.
  1. Save it.
  2. Go to Manage Assignments and add the user to the permission set for whom you want to set up MFA.

Hurray!!! You are now done setting up MFA for the users.

Note: The only thing left for the users is to set up the account in your authenticator app. This is a one-time job, and after that, you can directly approve/deny or provide the TOTP code every time you log in.

Setting up your Account into your Authenticator App:

The first time the Users try to log in after being added to the Permission set, they will be required to set up the account into their Authenticator App.

Using Salesforce Authenticator:
  1. Open Salesforce Authenticator App.
  2. Click Add an Account.
  1. Copy the Two Word Phrase from the app and paste it in your browser.
  1. Now click Connect in your app.

Now you can see a 6 digit number in your App that is linked with your account. This is a Time Based One Time Password that will continuously refresh after an interval.

Now everything’s been done, and whenever you try to log in, you will see a pop-up notification with Approve/Deny in your App.

Using 3rd Party Authenticator(Google Authenticator):
  1. In the browser while logging in for the first time, click Choose Another Verification Method.
  2. Click Use verification codes from an authenticator app.
  3. Open Google Authenticator App.
  4. In your App, click + Button and click Scan a QR code.
  1. Scan your code and click Add Account.
  2. Enter the code shown in your app to the browser.

Boom!! You are done setting up MFA using a 3rd party authenticator app.

Now you can see a 6 digit number in your App that is linked with your account. This is a Time Based One Time Password that will continuously refresh after an interval.

Now everything’s been done, and whenever you try to log in, you have to enter a TOTP password shown in your App to the browser input box.

What to do if you lost your phone or didn’t have it at the time of logging into your account?

Contact your Admin and ask them to follow these steps.

  1. Go to the User for whom you want to give access to log in.
  2. If the User didn’t have the phone during logging in, go to the User Detail section, click the Generate button in front of the Temporary Verification Code (Expires in 1 to 24 Hours).
  1. If the User has lost the access to their authenticator devices, click Disconnect in front of the App Registration: Authenticator from the User Detail section.

After the user has been disconnected from the device, they have to set up the authentication again when trying to log in.

Remove MFA for a User:
  1. Go to the User for which you want to remove MFA.
  2. In the Permission Set Assignments section, choose the permission set in which the MFA permissions were given and click the delete button.

You are done removing MFA for that user.

Setting MFA for SSO logins:
  1. In Setup, in the Quick Find box, enter Session, then select Session Settings.
  2. In Session Security Levels, make sure your SSO configuration is in the Standard column. And make sure Multi-Factor Authentication is in the High Assurance column.
  3. From Setup, in the Quick Find box, enter Profiles, then select Profiles.
  4. Click the profile name, then click Session Settings in the System section.
  5. Click Edit, set Session Security Level Required at Login to High Assurance, then save your changes.
Some Good Practices:
  1. If you try to login from SSO, setup MFA in your Identity Provider or in your org.
  2. Setup both Authentication using Salesforce Authentication as well as a 3rd Party Authenticator for admins.
  3. Don’t remove MFA for a User.

To monitor the status of MFA adoption in Salesforce, install the “Multi-Factor Authentication Dashboard” from AppExchange.

We use cookies on this site to enhance your user experience. For a complete overview of how we use cookies, please see our privacy policy.