Salesforce - Enabling Multi-Factor Authentication (MFA)
With any system change, adequate change management and rollout plans should be considered before implementing that change. In the same way, before going live and enabling Salesforce Multi-Factor Authentication (MFA), there are some important things to be aware of:
Salesforce will be requiring MFA for user logins from 1 February 2022.
Ensure there are at least 2 System Administrator accounts to reduce the risk of being locked out of the system.
The recommended MFA method (for example, Salesforce Authenticator mobile app) should be determined beforehand and communicated to staff.
IT admins should be aware of how to support users, if MFA methods are lost.
As a general system change and risk management approach, when enabling MFA on integration accounts, the integrations should be checked after enabling MFA.*
*Salesforce indicates that MFA is not a requirement for API or integration logins:
https://help.salesforce.com/s/articleView?id=000352937&type=1#mfa-affected-list
https://help.salesforce.com/s/articleView?id=sf.mc_overview_mfa_faq_api.htm&type=5
Additionally and separately, we have found that existing connections via third party integration platform are maintained when MFA is enforced and configured through the permission set. This is expected, since the permission applied is “Multi-Factor Authentication for User Interface Logins”.
Instructions
Although there are MFA methods mentioned in user setup, this is not how MFA is enabled. MFA is enabled through a permission set with a specific permission that enforces an MFA method to log in. Users can define an MFA method through their user profile, or can be prompted to set up a method once MFA is enforced.
The following is the one straightforward method to enforce MFA and assumes that a Single Sign On (SSO) method is not implemented (for example, enforced SSO through Office 365).
Go to Setup, and go to “Permission Sets” (search for permission in the quick find box).
At the top of the table of existing permission sets, you will find a “New” button.
Provide a name for the permission set, for example “Multi-Factor Authentication” in the Label field.
The API Name will be populated automatically when exiting the Label field. Click “Save”.
Go to System Permissions and click the “Edit” button.
Find the permission item for “Multi-Factor Authentication for User Interface Logins” and check the corresponding “Enabled” checkbox. Click “Save”.
On the next page, click on the “Manage Assignments” button, then “Add Assignments”
Select the users who need to be added and click the “Assign” button.
At next login, the users will be prompted to set up a Salesforce Authenticator as the Multi-Factor method (if they have not already specified one on their account).
To use a different MFA method users may click on “Choose Another Verification Method”.
For more information on administrating and self-managing methods:
https://alphasys.atlassian.net/servicedesk/customer/portal/5/article/1559822337?src=-1351239257
Related articles
Salesforce - Manage Multi-Factor Authentication (MFA) Options