With so many options and questions around Multi-Factor Authentication (MFA), we wanted to share some important information about securing your most privileged users: System Administrators.
It’s very important that they are required to use MFA. It’s also highly recommended that you do not enable Single Sign-On (SSO) for your System Administrators. In the event that your SSO configuration, authentication, or verification is unsuccessful, you will lose access to your org and will need Salesforce intervention.
To keep your System Administrators accounts secure while maintaining access, implementing MFA is the only option.
In this article, we will…
- Detail the steps to setup MFA for your System Administrators, using the Salesforce Authenticator app
- Describe a few alternatives to the Salesforce Authenticator app
- Discuss what can potentially go awry after MFA is enabled for these privileged users
These instructions are specific to products built on the Salesforce platform: Sales and Service Cloud.
MFA is available on these additional Platform Products: Analytics Cloud, B2B Commerce, Experience Cloud, Industries products (Consumer Goods Cloud, Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), Marketing Cloud–Audience Studio, Marketing Cloud–Pardot, Platform, Salesforce Essentials, and Salesforce Field Service; and Salesforce Clouds / Products: B2C Commerce Cloud, Marketing Cloud–Datorama, Marketing Cloud–Email Studio, Mobile Studio, and Journey Builder. Other products hopefully supported mid-2021.
External Logins (Partner / Customer) will not be required in the February 2022 enforcement, but are currently available nonetheless. These are Customers and Partners who log into Experience Cloud sites, e-commerce sites, help portals, and so forth. However, industries and other regulations may require MFA.
Note: for these types of users, SMS verification will be accepted as MFA.
To maintain best practices while working with Salesforce products, make sure you plan your communication, change management strategy, support plan, test plan, and more before rolling out these changes to Production. You can use the Multi-factor Authentication Assistant in Setup for more information and helpful resources, or check out the Multi-Factor Authentication Quick Guide for Admins.
Let’s dive in…
The following permissions are available for Profile and Permission Sets for MFA enablement.
System Permission – MFA for API Logins: To be assigned to integration and API users. Require users to enter a code from a time-based one-time password (TOTP) authenticator app instead of the emailed security token in the API. This is not usually necessary for System Administrators unless they are also integration or API users. We will not include this in our permission set today. We recommend creating a second permission set for this MFA permission to assign to your integration and API users.
System Permission – MFA for User Interface Logins: Enables multi-factor authentication for User Interface Logins. To be applied to users in Standard Profiles. This is the permission we’ll use for our System Admins.
- We cannot modify the System Permissions on the standard System Administrator profile, so let’s build a permission set with the necessary permissions for MFA.
- Create your permission set, give it a descriptive name like “MFA for UI logins” and provide more information in the Details on what is included in the permission set and who it should be used for.
- Assign the following permissions:
- Multi-Factor Authentication for User Interface Logins
- Assign your permission set to the System Admins in your org.
- Enforce High-Assurance sessions requiring MFA on logins.
- Edit the Session Settings on the System Administrator profile to require them to use MFA for logins by selecting “High Assurance” for Session Security Level Required at Login.
- In Setup > Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance column.
- Have your admins log into your org and register their Salesforce Authenticator.
- On your mobile device, download the Salesforce Authenticator App from the Apple Store or Google Play.
- Then, on the login screen, enter your username and password. The Connected Salesforce Authentication screen should display.
- Open the Salesforce Authenticator and then tap add an account. Your screen should then display a two-word phrase.
- You will then enter the two-word phrase on the Connect Salesforce Authenticator screen and press connect.
- In the Salesforce Authenticator app, confirm that the request details are correct, tap approve and complete your salesforce login.
Don’t forget about your access recovery plan for your admins!
It is highly recommended that you register a minimum of two verification methods for your System Administrators and any other user with MFA enabled. Why? As a recovery option. Salesforce defaults to the highest-priority method and any additional methods are considered backup or recovery options. The following additional verification options are available.
- Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator™, Microsoft Authenticator™, or Authy™
- Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey™ or Google’s Titan™ Security Key
- Built-in authenticators, such as Touch ID®, Face ID®, or Windows Hello™
Refer to Verification Methods for Multi-Factor Authentication in Salesforce Help to see the benefits and considerations for each method.
To enable Security Keys, you will need to enable the Let users verify their identity with a physical security key (U2F)option in your organization’s Session Settings.
Another recommendation is to have at least two Users with Manage Users permission and the permissions to manage MFA in case access recovery is necessary. We recommend creating a permission set for managing MFA (Manage Multi-Factor Authentication in User Interface) and generating temporary access codes.
After we enable it, what can go wrong?
Mainly, our concern was around Connected Apps and Integrations or APIs, and our Users. For most of these connections, you may need to login via the UI after this is enabled for your admins. If your System Admins are configured for Integration or APIs for authentication, we recommend creating a separate API/Integration User with their own locked-down profile. MFA is not required for API login, so if you can’t verify an identity after login for your API, we recommend not enabling it for that profile. If you can, we recommend the Multi-Factor Authentication for API Logins permission be enabled.
For your Users, make sure to communicate, train, and support them. Checkout the MFA User Experience section in Salesforce’s MFA FAQ for more information.
What if we share a System Administrator license with other users/partners / etc?
Salesforce states this clearly:
“Salesforce prohibits sharing user credentials with multiple users. Before you can satisfy the MFA requirement, you need to resolve any shared accounts or credentials that are in use. This practice is incompatible with MFA because each user must register and connect a unique verification method to their Salesforce account before they can log in. If multiple users are sharing a single account, only one person will be able to log in to that account after MFA is enabled.
To proceed with MFA, make sure you have enough licenses to set up separate accounts for each person who needs to access your Salesforce products. If you need help setting up unique user accounts, contact your Account Executive or Sales team. “
We have recently enforced MFA for our Admins here at Red Argyle so we’ll have more to tell you about our personal and customers’ experiences soon.
In the meantime, if you have any questions about MFA and what it means for your organization, contact us or your account manager for assistance!