Cleveland Salesforce Developer Group presentation from 1/8/2022 for Security Check: Are you ready for MFA in February? presented by Co-Leaders Lynda Kane and Orlando Briceno Gomez
4. Achievements
Who has earned a certification or
superbadge in Oct, Nov, Dec, or Jan?
Who has started a new job since
September 2021?
Who is new to the Cleveland Salesforce
Developer Group?
Anything else to share?
6. Background: Salesforce MFA Requirement
Announcement from 2/2021: “beginning February 1, 2022, Salesforce will begin requiring
customers to enable MFA in order to access Salesforce products”
• Supply 2 or more pieces of evidence when logging into systems
• Something you know (username and password) AND something you possess (authenticator app or
security key)
• Threats to system security is on the rise globally and constantly evolving, MFA enhances login security
All Salesforce Products
• Sales Cloud, Service Cloud, Experience Cloud, Marketing Cloud, Pardot, Mulesoft, Quip…
• Directly in Salesforce products or within the SSO you have setup for your Salesforce product (Must be
turned on in SSO products too)
7. Background: Security Threat Landscape
Many organizations are still password-centric and MFA can help
• As of March 2020, 70% of all organizations still rely on password-centric authentication for logins
• 81% of all breaches are because of stolen or weak passwords
• According to Google, even one of the weakest forms of two-factor authentication—two-step verification
through SMS text messages—can stop 100% of all automated attacks, 96% of bulk phishing attacks, and
three-quarters of targeted attacks.
• SMS isn’t going away but WebAuthn became the W3C official standard in 2019.
WebAuthn (https://webauthn.guide/)
• Part of the FIDO 2 framework
• Adopted by all current major Web Browsers and mobile device operating systems
• Includes Authenticator Apps, Security Keys, and in-computer services (like Windows Hello)
8.
9. Background: Really, How bad are user passwords?
According to NordPass, the top 10 most common (worst) passwords of 2021 were:
• 123456, 123456789, 12345, qwerty, password, 12345678, 111111, 123123, .1234567890, 1234567
• Popularly used in passwords: Names (people love to use their own name); Onedirection & Metallica (both
common bands to be used in passwords); Liverpool (sport teams also popular); Ferrari & Porsche (Car
Brand names also make poor passwords); Dolphin (#1 animal used in passwords); #!@? (men use swear
words in passwords more often than women - but women use “iloveyou”)
Password Hygiene Basics
• Longer is better, at least 12 characters and a mix of cases, letters, numbers, symbols (better yet, use a
password generator)
• Don’t reuse or use for multiple accounts
• Change passwords at least every 90 days
• Regularly assess password health (https://www.security.org/how-secure-is-my-password/,
https://www.passwordmonster.com/, http://www.passwordmeter.com/)
• Use a password manager (LastPass, KeePass, Keeper, Zoho Vault, 1Password)
10. Salesforce MFA Requirement
Environments
• Production: YES
• Sandboxes: MAYBE (Recommended), Required for B2C Commerce
Cloud sandboxes
• Scratch Orgs: NO
• Trailhead Playgrounds: NO
• Developer Orgs: MAYBE (Recommended)
• Experience Cloud (non-Internal licenses): NO
MFA Options
• Salesforce Authenticator
• TOTP (Microsoft Authenticator, Google Authenticator, DUO, and others)
• Security Key (Yubikey, need to enable in Session Settings for Platform)
• Built-in authenticator like Windows Hello or Touch ID (Beta, need to enable in
Session Settings)
• SSO-provided MFA (if your SSO doesn’t use MFA, you must use a
Salesforce provided option)
11. Salesforce MFA Requirement
Things to Know
• Users can have multiple MFA methods
• For Platform, only 1 TOTP (can’t do both Microsoft Authenticator AND Google Authenticator)
• If user has Salesforce Authenticator, can enroll in Lightning Login (passwordless, use app to login)
• If you’re using SSO, enable Delegated Authentication to see the Is Single Sign-On Enabled system
permission for Profiles and Permission Sets (when checked, users cannot login with a Salesforce
username/password - Salesforce no longer manages their credentials, your SSO is the only option)
• Can Assign MFA to users via Profile or Permission Set with System Permission: Multi-Factor
Authentication for User Interface Logins
• Security Key Known Issue with Chrome:
https://trailblazer.salesforce.com/issues_view?id=a1p4V000002CKpfQAG
13. Multi-Factor Authentication Dashboard
A comprehensive dashboard for monitoring and reporting on multi-factor authentication (MFA)
adoption and usage in your Salesforce org. This package includes the following features:
MFA view: See who has registered identity verification methods, and perform actions like
disconnecting methods and generating temporary verification codes.
Dashboard and Reports: Audit verification activities in your org, and track verification method
registration progress.
MFA Registration Email Template: Integrate this template with the Mass User Email tool to
create an MFA registration campaign for your rollout.
https://appexchange.salesforce.com/appxListingDetail?listingId=a0N3A00000EFmcXUAT
16. Our Adventures with MFA
Lynda - Employer
• Sales Cloud - SSO with MFA and Delegated
Authentication for Production, Full & Partial
Sandboxes
• Salesforce MFA Enabled for Developer Pro &
Developer Sandboxes
• Salesforce MFA Enabled for Marketing Cloud
Lynda - Developer Orgs
• Salesforce MFA Enabled for Developer
Accounts
• Multiple Methods of MFA (Salesforce
Authenticator, Microsoft Authenticator, YubiKey)
Orlando - Employer
• No SSO
• Implementing MFA in Sales Cloud for PROD &
FULL
• Salesforce MFA Enabled for Marketing Cloud
Orlando - Developer Orgs
• What are you doing?
17. Adding Additional MFA Methods
Add a TOTP (after Salesforce Authenticator) Add a Security Key (After Salesforce Authenticator)
22. Quiz Time (and SWAG signup)
https://forms.gle/XzXC2v4rQDeAVHhx6
23. Announcements & Upcoming Events
https://100daysoftrailhead.com/
Cleveland
#SalesforceSaturday
Starting again next
week at local coffee
shops.
Posted to the
Collaboration Group,
LinkedIn, & Twitter.
Join our Community
Group in Trailhead!
(Cleveland #Salesforce
Saturday)
Job Seeking or Hiring:
Are you seeking a new position or looking for new
member for your team? Let us know. We can also post in
our Trailblazer Community Group on Trailhead!