A Guide on How To Implement Multifactor Authentication

Hopefully by now you’ve heard that Salesforce is requiring MFA enablement by February 1, 2022. It’s an important piece of cybersecurity that keeps your information and your customer information better protected. 

(If you’re not sure what MFA is or how it impacts you, check out our blog)

(If you’re not sure if you’re MFA compliant or what options you have, check out our other blog)

Here in this post, we’re going to walk you through some more details around enabling MFA in your Salesforce organization, and for your various users and partners. We’ll also cover what users have to register and some known issues/gotchas. 

Let’s dive in…

How to enable MFA in your Salesforce Org

Use the Salesforce MFA Rollout Pack to help guide you through the planning and rollout process with tools and customizable templates.

• Create permission set(s) to assign MFA on a user-by-user basis, including your System Admins. 
• Use Salesforce’s MFA assistant guided steps to plan, communicate, prepare, and rollout MFA to your Users. 
• Make sure to communicate to your users important rollout information, including dates, impact, instructions, and how to get help. 

MFA can be a simple configuration, if it meets your orgs needs; You can simply assign permission sets, register verification methods, and sign in as the users to Salesforce. Keep in mind that API and connected Apps will need MFA if the users connected to them have MFA enabled!

Our own MFA experience 

Here at Red Argyle, we already had SSO in use and enabled in Salesforce, with MFA enabled on our SSO provider. So, all we needed to do was enable MFA for our System Admins and enforce MFA through our IdP. 

We took a six-week approach…

• The first two weeks were planning and testing. 
• The next four weeks allowed for a slow rollout and more testing. 
• We communicated at 15 days, 10 days, 5 days, and 1 day from the enforcement. We shared information on who to contact for help, as well as instructions on how and what System Admins should set up for all users.  

Our clients’ experiences so far

For some of our clients, personal mobile devices are not permitted for business purposes, so they opted to roll out physical security keys to all of their users. 

One of our clients had two types of internal users; one group used SSO to login and MFA was configured through their IdP, but other group was unable to use SSO and so MFA was configured in Salesforce using physical security keys for those users. 

The client was concerned about managing the second group of users and their security keys, but we were able to reassure them that the change to their user management processes would be minimal with the User’s ability to register their own security key once their User was enabled for MFA!

How to enable MFA for your Platform Users  

Some MFA-enablement situations will be slightly different, but below we’ve broken down the basic implementation actions into step-by-step instructions. Follow these as they are relevant to your rollout needs!

Any of the below options will satisfy Salesforce’s upcoming MFA requirement. We’ve added steps for each of the verification registration methods below.  

• Salesforce Authenticator app
• ToTP/third party apps like Google Authenticator or Authy
• Physical security keys like Google’s Titan key or Yubico Yubikey
• Lightning Login 

How to enable MFA for your External Users

MFA is not required for your External Users, but it is available. Keep in mind that any of your Internal Users will be challenged with MFA when they attempt to log in to any of your Experiences (formerly Communities), Sites, and Portals, if enabled for their User.

External (Experience) Users can be identified by the following licenses:

• Community licenses
• External Identity licenses
• Employee Community licenses (either a Salesforce Platform license paired with a Company Community for Lightning Platform permission set license or a legacy Company Community license)

If you implement MFA for your customer or partner Experience Cloud sites, external users are able to log in using SMS text messages as a verification method. This does require Identity Verification Credit Add-On licenses.  Check out this article for more information.

How to enable MFA for your Partner Users

Internal Partners are considered the same as platform Users. They will be challenged when logging into the community. Use the steps for “How to enable MFA for your Platform Users” explained above.

For Partners that need access to both the Platform and the Community, there is a setting to allow the login to cross-pollinate, which would keep their session active when navigating between the internal and external applications. Again, use the steps for “How to enable MFA for your Platform Users.”

External Partners are the same as Experience users. Use the steps for “How to enable MFA for your External Users” noted above. 

How a User registers the Salesforce Authenticator App

After MFA for UI logins is enabled for a User, they will be prompted to register a verification method during their next login attempt. 

Salesforce Authenticator will be the default prompt. To add Salesforce Authenticator as the verification, follow these steps:

1. User attempts to login.
2. When prompted to register a verification method, Salesforce Authenticator is the default. Follow the prompts to register for the Salesforce Authenticator app. 

How a User registers a Third-Party Authenticator / ToTP app

After MFA for UI logins is enabled for a User, they will be prompted to register a verification method during their next login attempt. 

Salesforce Authenticator will be the default prompt. To add a Third-Party Authenticator / ToTp app, follow the steps below:

1. User attempts to login. 
2. When prompted to register a verification method (in this case Salesforce Authenticator), click Choose Alternative Method. 
3. Select Use Verification codes from an authenticator app 
4. On your mobile app, select add a new account
5. Scan the QR code displayed on your screen 
6. Now that you have successfully connected the app to your account, the app will begin generating a one-time password each time you log in.
   

How a User registers a U2F physical Security Key

After MFA for UI logins is enabled for a User, they will be prompted to register a verification method during their next login attempt. 

Salesforce Authenticator will be the default prompt. To add a physical security key, follow the steps below:

1. User attempts to login. 
2. When prompted to register a verification method (in this case Salesforce Authenticator), click Choose Another Verification Method. 

3. Select the option for Use a Universal Second Factor (U2F) Key and confirm. 
4. The User is now logged in, and their verification method is registered. An email will be received at the address associated with the User “A new verification method was added to your Salesforce account” notifying them of success. 

Lightning Login

Check out this Salesforce Help Article on How to Enable Lightning Login in your Org.

Check out this Salesforce Help Article on How a User can Enroll in Lightning Login. 

Some known issues, gotchas, and things to keep in mind

• If MFA is enabled for a brand-new user, they may not be required to register their MFA verification method the first time they log in. However, they will be required to register their method on the next login attempt. 
• MFA for System Admins (and all users) will be copied to Sandboxes when they are created / refreshed if enabled in Production or the Sandbox which is being copied. Although Salesforce indicates this shouldn’t be an issue and the user should be prompted to register a method the first time they log into the new sandbox, we’ve had trouble: We were locked out of the new sandbox when this didn’t happen. We had to create a new sandbox and do a username and password authentication into the sandbox to finish standing it up and get other people into it.  

Training Topics for Supporting your Users with MFA

• How to register a verification method. 
• How to revoke / remove their own verification method. 
• How to revoke / remove a User’s verification method. 
• How to generate a temporary identify verification code for a user. 

Don’t forget to test MFA for each user type, especially if you’re enabling MFA for Integration Users or making changes to Connected apps!

An Example Test Scenario for MFA

1. Create a new User and assign the MFA for User Interface Logins permission via profile or permission set. 
2. The User logs in. On the first login attempt, they will set their password and set up their recovery question and answer. 
3. The User logs out and attempts to login again. 
4. On this login, they are prompted to register a verification method. Follow the steps to register the verification method of choice. 
5. The User is successfully logged in and an email is received indicating a new verification method was added. 
6. The User logs out and attempts to login again. They are prompted to verify their identity using the method added earlier. 
7. The User verifies their identity and they are successfully logged in. 

More Resources for your Rollout Strategy

There’s a lot to cover with MFA, so look for new blog posts and instructions as new information emerges. We’re helping established clients and new clients enable MFA and confidentially move forward.

Assess your org and check out these other posts as they fit into your rollout strategy…

1. An Intro to MFA
2. How Do I Know If I Meet the MFA Requirements?
3. MFA For Your Salesforce System Admins