WIXLIB

For products built on the Salesforce PlatformAdmin Guide toMulti-FactorAuthenticationGet ready for MFA and rolling it out toSalesforce users

Table of ContentsChapter 1xxxThe Time for Multi-Factor Authentication is Now!xxx4What Is MFA and Why Is It Important?17Enable MFA for Your Users5How Multi-Factor Authentication Works18 Create an MFA Permission Set6MFA for Salesforce19 Assign the Permission Set to Users7MFA Verification Methods for Salesforce20The User Experience When MFA is Live8 Salesforce Authenticator21 Salesforce Authenticator: How Users Register and Log In9 Third-Party Authenticator Apps23 Third-Party Authenticator Apps: How Users Register and Log In10 Security Keys24 Security Keys: How Users Register and Log In11Choose Verification Methods for Your ImplementationChapter 3Chapter 2Implement MFA for Salesforce13The Recommended Path to MFA14Get It Done with the Multi-Factor Authentication Assistant15Plan Your Rollout16When You’re Ready to Go LiveEnsure Successful Adoption of MFA26Measure the Success of Your Rollout27Support Users and Ongoing OperationsChapter 4Learn More29Version 2020.10 Copyright 2000-2020 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.Additional Resources

1The Time for Multi-Factor Authentication is Now!See how MFA is an effective way to safeguard access to Salesforce accounts

What Is MFA and Why Is It Important?As the security landscape evolves and threats that compromiseuser credentials grow more common, it’s important toimplement strong security measures to protect your businessand customers.Usernames and passwords alone don’t provide sufficientsafeguards against unauthorized account access.Multi-factor authentication (MFA) adds anextra layer of protection against threatslike phishing attacks, credentialstuffing, and account takeovers.Multi-factor authentication is oneof the easiest, most effective waysto help prevent unauthorizedaccount access and safeguard yourSalesforce data.MFA for Salesforce is available atno extra cost!

How Multi-Factor Authentication WorksMFA requires users to prove they’re who they say theyare by providing two or more pieces of evidence – orfactors – when they log in.One factor is something the user knows, such astheir username and password combination. Otherfactors are verification methods that the user has,such as an authenticator app or security key.By tying user access to multiple, different typesof factors, it’s much harder for a bad actor togain entry to your Salesforce environment. Evenif a user’s password is stolen, the odds are verylow that an attacker can guess or impersonate afactor that a user physically possesses.Somethingyou knowUSERNAME**************LoginSomethingyou have

MFA for SalesforceSalesforce offers simple, innovative MFA solutions thatprovide a balance between strong security and userconvenience.Because your business requirements and users’ needsare diverse, you can pick and choose between differenttypes of verification methods, including mobile appsand hardware devices.And to help manage your MFA implementation, weprovide a variety of tools and resources, including: Reports and dashboards for monitoring usage Temporary verification codes that give users access ifthey’ve lost or forgotten their verification methodUse this guide to set up MFA for productsbuilt on the Salesforce Platform, including: Sales Cloud Service Cloud Analytics Cloud B2B Commerce Experience Cloud Industries products (Consumer Goods Cloud,Financial Services Cloud, Government Cloud,Health Cloud, Manufacturing Cloud,Philanthropy Cloud) Marketing Cloud Audience Studio Marketing Cloud Pardot Platform Salesforce Essentials Salesforce Field ServiceMFA is available in Salesforce Classic and Lightning ExperienceMFA is available in all Editions

MFA Verification Methods for SalesforceMFA adds an extra authentication step to your Salesforce login process.1. The user enters their username and password, as usual.2. Then the user is prompted to provide a verification method.Salesforce requires users to provide a verification method that’s intheir possession. You can allow any or all of these methods.SalesforceAuthenticator AppThird-Party TOTPAuthenticator AppU2F Security KeyFast, free authenticationSuch as:Google AuthenticatorMicrosoft AuthenticatorAuthySuch as:Yubico’s YubiKeyGoogle’s Titan Security KeyXXEmail, SMS text messages, and phonecalls aren’t allowed as MFA verificationmethods because email credentials aremore easily compromised, and textmessages and phone calls can beintercepted.It’s a lot harder for bad actors to getcontrol of an actual mobile device orphysical security key than it is toinfiltrate an email account or hack acell phone number.

Salesforce Authenticator: Fast, Free, Frictionless MFAThe Salesforce Authenticator mobile app makes MFA easy by integrating into yourlogin process. It’s simple for users to install and connect to their Salesforce accounts.When a user logs in, they get a push notification on their mobile device. The user tapsthe notification to open Salesforce Authenticator and sees the following information: The action that needs to be approved Which user is requesting the action Which service is requesting the action What device the user is using The location from which the request is comingWith this information, the user can quickly and confidently approve or deny theauthorization request. They can also automate the extra authentication step whenworking from a trusted location.If the user’s mobile device doesn’t have connectivity, they can still log in using six-digitTOTP codes generated by Salesforce Authenticator.

Third-Party Authenticator AppsSalesforce supports the use of third-party authenticator apps that generatetemporary codes based on the OATH time-based one-time password (TOTP)algorithm (RFC 6238).There are many apps available,including free versions. Options include:To log in using this type of verification method, the user gets a code from a TOTPauthenticator app, then enters that code during the Salesforce login process. Google AuthenticatorBehind the Scenes AuthyTOTP authenticator apps generate temporary codes on the basis of a secret key(known only to the user and the service, such as Salesforce) and the current time.A code is valid for 30 seconds and then a new one is generated.TOTP authenticator apps can generate codes even if the user’s phone doesn’t havea data or internet connection.If users have already installed a TOTP app for personal orbusiness use, they can set up the same app for Salesforce logins. TIP: Microsoft Authenticator

Security KeysSecurity keys are small physical devices that are easy to use because there’s nothingto install and no codes to enter. This is a great option if users don’t have a mobiledevice or if cell phones aren’t allowed on the premises.Security keys make MFA logins fast. A user simply:1. Connects their key to the computer2. Presses the key’s button to verify their identityBehind the ScenesSalesforce supports security keys that are compatible with FIDO U2F. This standarduses strong public-key cryptography to protect users from man-in-the-middleattacks and malware. To learn more about what’s happening behind the sceneswith security keys, check out the FIDO U2F site.Security keys require a supported browser to act as an intermediary between thekey and Salesforce.Security key options include Yubico’sYubiKey and Google’s Titan Security KeySupported form factors:USB-A, USB-C, LightningSupported browsers for U2F keys:Chrome, version 41 or later

Choose Verification Methods for Your ImplementationSalesforce AuthenticatorThird-Party Authenticator AppsSecurity KeysA smart and simple mobile app that users caneasily connect to their Salesforce accounts.Apps generate unique, temporary verificationcodes based on the OATH TOTP algorithm.Physical device that uses public-keycryptography.Form Factor:Mobile app for iOS and AndroidForm Factor:Apps available for multiple operating systemsForm Factor:USB and Lightning devices that support the FIDOU2F standardUser Experience: Delivers push notifications to users’ phones forfast access See real-time details to confirm request validity Automate authentication from trusted locations Deny fraudulent requests with a tap Generates TOTP codes if connectivity isn’tavailableUser Experience: Wide variety of apps to choose from Connectivity isn’t requiredUser Experience: Fast and easy to use Recognizes and denies fraudulent requests Connectivity isn’t required No batteries neededConsiderations: Requires a mobile deviceConsiderations: Requires a mobile device Typing errors possible when manually enteringcodes Invalid codes possible if mobile device clockgets out of sync with SalesforceConsiderations: Requires browser support Users could leave key unattended or plugged inall the time Operational overhead for purchasing, stocking,and distributing devices to usersCost: FreeCost: Free and paid optionsCost: Starts around 20

2Implement MFA for SalesforceGet ready for MFA, then roll it out to your users

The Recommended Path to MFAGet ReadyRoll OutEvaluate which verification methods meetyour business and user requirements.Kick off change management activitiesto engage and prepare users for MFA.Inventory users, roles, and permissions toidentify your privileged users (they’re yourtop priority) and to determine the level ofeffort for your project.Work with your support team toestablish an access recovery process andtrain them to handle MFA issues.Plan rollout, change management,implementation, testing, and user supportstrategies.Distribute verification methods to users.Enable MFA for user interface logins.Help users register and log in with averification method.ManageCollect feedback and monitor usagemetrics to ensure users are adoptingMFA.Support ongoing operations and assistusers with authentication issues.Optimize your overall security strategy.

Get It Done with the Multi-Factor Authentication AssistantYour one-stop shop for delivering MFA to your usersThe Assistant walks you through therecommended path to MFA.Get step-by-step guidance, with toolsand resources to help you take action.Steps are presented in checklists soyou can track completed tasks andoverall progress.Access the Assistant from Setup inLightning Experience: Click Multi-Factor AuthenticationAssistant in the Setup menu.

Plan Your RolloutTo ensure a successful rollout, cover these criteria in your project plan.Rollout Strategy Determine who is required touse MFA. Admins and otherprivileged users are your toppriority. Decide if you’ll roll out MFA toeveryone at the same time, orgo live in phases to differentgroups over time.We recommend startingwith a pilot group to test therollout process and fine-tunethings. TIP:ChangeManagement Communicate upcomingchanges to users. Build awareness and get userbuy-in with campaigns andpromotional materials. Train users on MFA conceptsand how to obtain, register,and use verification methodsto log in with MFA. Create registration andtroubleshooting materials foryour launch day.Support Team Establish policies andprocesses for ongoingoperations, including helpingusers with lost or forgottenverification methods. Train your support team onsetup, troubleshooting, andaccess recovery steps. Update your employeeonboarding procedures sonew hires get MFA from thestart.