Multi-factor Authenticator (MFA)
- Giulia Carboni
- 1 What is the Multi-Factor Authenticator, and how does it work?
- 2 What's the difference between the MFA and 2FA?
- 3 Which verification methods satisfy the MFA requirement?
- 4 Is a data connection needed to use a mobile authenticator app? If a user loses their connectivity, can they log in?
- 5 Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?
What is the Multi-Factor Authenticator, and how does it work?
Beginning February 1, 2022, Salesforce will require users to use the Multi Factor Authenticator (MFA) in order to access Salesforce products.
All internal users who log in to Salesforce products through the user interface must use MFA for every login.
MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are.
What's the difference between the MFA and 2FA?
MFA requires two or more factors, providing options for many combinations of authentication mechanisms.
2FA is a subset of MFA that requires two factors only.
Which verification methods satisfy the MFA requirement?
Salesforce Authenticator App as well as Microsoft Authenticator are supported method for the MFA functionality.
Salesforce encourages users to register multiple verification methods, so they have a backup in case they forget or lose their primary method.
Salesforce uses this order of precedence for verification methods when logging in with MFA:
Salesforce Authenticator
Built-in authenticators
Security keys
Third-party time-based one-time passcode (TOTP) authenticator apps
After MFA is enabled for user interface logins, each user must have at least one registered verification method before they can log in.
If a user doesn't have a method ready by the time MFA is enabled, they're automatically prompted to register one the next time they log in. On-screen prompts guide users through the process.
For all subsequent logins, the login process prompts users to supply a registered method in addition to their username and password.
If a user loses or forgets their mobile device or security key, Salesforce admins can generate a temporary verification code that allows the user to log in to their account. The code can be used multiple times until it expires.
What is Salesforce Authenticator?
The Salesforce Authenticator mobile app is a strong verification method that can be used as a second factor for MFA logins. The app is free and simple to use, minimizing the impact of MFA on the user experience. It is available on both App Store and Google Play Store.
Salesforce Authenticator makes the extra MFA authentication step easy because the app automatically integrates into your current Salesforce login process.
What are third-party TOTP authenticator apps (Microsoft Authenticator)?
All the Salesforce products that have MFA functionality support the use of third-party authenticator apps as verification methods for MFA logins. There are many free and paid authenticator apps to choose from. Widely-used options include Microsoft Authenticator.
Is a data connection needed to use a mobile authenticator app? If a user loses their connectivity, can they log in?
The Salesforce Authenticator mobile app requires a data connection to authenticate via push notifications or location-based automated verification.
If a user's mobile device is offline, however, users can still authenticate using one of the unique, time-based one-time password (TOTP) codes that the app continually generates.
This can be found under the account name. The App generates a new code every 30 seconds.
Similarly, third-party TOTP authenticator apps work if a device doesn't have a connection.
Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?
The frequency of MFA challenges can’t be modified.
To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product.
To reduce friction for users, we recommend using Salesforce Authenticator.
The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations.
To set this option, the user will have to select the option “Add this to a trust location” at the moment the login notification is delivered.
For additional information: Automate Multi-Factor Authentication Logins from a Trusted Location with Salesforce Authenticator
Note: FAQ on how MFA works and how it will affect user experience are available at https://help.salesforce.com/s/articleView?id=000352937&type=1