Salesforce Announces New Security Requirements for Organizations

Earlier this year, Salesforce made an announcement that there will be a new requirement for all organizations using Salesforce. Beginning on February 1, 2022, Salesforce will require customers to enable multifactor authentication in order to access Salesforce products. Salesforce has continuously stated that they take the protection of their customer’s data very seriously and this next step demonstrates just that. If this sounds confusing or complex, don’t worry I will lay out the details below.

What is Multifactor authentication?

Whether you know it or not, chances are you have some sort of experience with multifactor authentication. This is an authentication method that requires the user to provide two or more verification factors to gain access to something. Traditionally for most online applications all that was needed was a username and a password. Now you see more and more companies require multifactor to get access into a system. This can be in the form of an authenticator app or a security key in addition to your username and password. The important thing here is the multifactor, which improves security and decreases the likelihood of a successful attack.

Three Authentication Methods

There are three main authentication methods that multifactor authentication uses. A combination of at least two of these authentication methods are required for multifactor authentication.

  1. Something you know (EX: password)
  2. Things you have (EX: Cellphone)
  3. Things you are (EX: fingerprint)

Why is Multifactor Authentication Important?

Security threats that compromise user credentials are becoming the norm. When a hacker steals a username and password, they can easily gain access to a system. If multifactor authentication is enabled, this makes the hacker’s goals exponentially harder because they will also need to compromise the second factor of authentication to gain access. In the case of Salesforce, the hacker would need to get the User’s username and password, and then access to that User’s smartphone authenticator app. As it is more and more common for Salesforce users to be working from home on unsecured or public networks, multifactor authentication can safeguard user credentials.

Multifactor Authentication Works for Salesforce

Salesforce offers multifactor authentication solutions that fit any of its customers. Because every organization is different, Salesforce offers different types of verification methods including mobile apps and hardware devices. Salesforce also offers additional tools and resources to help manage your multifactor authentication implementation which includes reports and dashboards for monitoring usages and temporary verification codes that give users access if they’ve lost or forgotten their verification method.

Multifactor Authentication Verification Methods for Salesforce

During the login process, users will be prompted to enter in their username and password and an additional verification code which will be provided to the user. Depending on your Salesforce product, you can allow any or all of the methods below

  1. Salesforce Authentication App
  2. Third-Party TOTP Authenticator App
  3. U2F or WebAuthn Security Key

It is also important to note that as long as all of your Salesforce products are integrated with SSO, with multifactor authentication enabled on the IdP, and all users who access a Salesforce product’s interface do so via SSO, your organization will be covered when this requirement is put into effect.

Again, the multifactor authentication requirement for all Salesforce products, does not go into effect until February 1, 2022, but that does not mean your organization needs to wait. Your Salesforce is full of private information important to your business and your customers.  Salesforce is always thinking or ways to better protect their customers and keep their data secure and this is just the next evolution of Salesforce’s promise to their customers.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author