There are two ways to set up MFA in Salesforce:
1.Profile Settings
2.Session Settings
Note :
To enable MFA via session security levels, which is not recommended due to the risk of breaking API integrations or connections.
Profile Settings (recommended) :
You can set a profile setting either with a profile or with a permission set. If you set via a profile,
all users with that profile will be required to use MFA. If you set via a permission set,
you can manage which users get MFA and develop a rollout strategy.
To set this, open the profile (or permission set) and open the System Permissions. You can select the Multi-Factor Authentication
for User Interface Login setting and mark it to True. Do not select the Multi-Factor Authentication for API Logins setting.
Session Settings (not recommended) :
You can set the session settings with two steps:
In Setup ⇒ Session Settings, you can move Multi-Factor Authentication to the "High Assurance" category for Session Security Settings.
In Setup ⇒ Profile ⇒ Session Settings, you can set a profile to require high-assurance settings when logging in.
This is not recommended because it can break API use and logins. Contrary to the Profile Settings method described above, this will require MFA on all logins, including for accounts used for an API Integration or Connected App.
Dedicated Integration Users
Salesforce will not require MFA for API Only users, so if you use a dedicated API User, these steps won't be relevant.
Note :
If you're setting up MFA for a client, we recommend using the System Permissions rather than the Session Settings.
If a client's API integration suddenly starts failing (with an error such as "Response content:
[{'message': 'This session is not valid for use with the REST API', 'errorCode': 'INVALID_SESSION_ID'}]" or similar), verify if the session settings have changed.
MFA Solutions for Salesforce :
MFA is useful to provide an increased level of security to your system, as well as effective ways to help prevent unauthorized account access.
Salesforce supports these types of verification methods
1.Salesforce Authenticator mobile app : Fast free authentication sfdc.co/IntrotoAuthenticator
2.Third-Party Authenticator App : Such as: Google Authenticator, Microsoft Authenticator, Authy
3.Security Key : Such as: Yubico’s Yubi Key Google’s Titan Security Key
Not Supported below option
1.SMS (Text) verification :
Two-factor authentication by SMS is a less secure option, and is available to use only with communities, partners, and customers.
Contact Salesforce Customer Support to enable.
2.Phone call verification
3.Email verification
Email, SMS text messages, and phone calls aren’t allowed as MFA verification methods because email credentials are more easily compromised,
and text messages and phone calls can be intercepted.
Important: While MFA will not be mandated in Salesforce Communities, if you do implement MFA in communities, SMS is an option for verification.
How is this different than when I log in on a different browser?
There are two types of identity verification in Salesforce, service-based and policy-based security.
Whenever we log into Salesforce from a different browser or from a new computer, we must provide verification of our identity.
This is called service-based identity verification, which is available out-of-the-box.
Now, with MFA, you can add a new layer of security on top of it with policy-based identity verification.
Service-based (device activation) :
-> Auto enabled for all orgs
-> User must provide verification from unrecognized browser or application
-> Not considered as part of MFA (insecure)
Policy-based (MFA) :
-> Admin enabled
-> Multi-factor
What should you keep in mind with MFA?
Here are several things to keep in mind when rolling out MFA.
What are the System Permissions related to MFA for user interface logins?
Multi-Factor Authentication for User Interface Logins :
Require users to provide an additional verification method in addition to their username and password when logging in to Salesforce orgs.
Manage Multi-Factor Authentication in User Interface :
Use tools in the user interface to manage and provide user support for multi-factor authentication.
What about MFA for API logins?
API logins are not currently part of Salesforce’s mandate to use MFA.
What happens if a user loses or forgets their device?
Admins can generate temporary verification code that can be set to expire 1 – 24 hours by adding the Temporary Code field to a User list view and clicking "Generate".
No comments:
Post a Comment