Businesses today function on good quality data. Naturally, efforts have to be made to ensure the security of this data and prevent it from being hacked and used in unlawful or unethical ways. Data security refers to all the protective protocols an organization puts in place to prevent unauthorized access of any and all databases, related websites, and computers. The year 2020 will go down in history, not just for being the year the world was disrupted by the Covid-19 pandemic, but also for the way the world changed digitally.
As a result, working from home and the dependence on cyberspace skyrocketed, while demand for heightened cybersecurity increased. The 2021 IBM Security Report released in July 2021 found in their global study that data breaches result in an average cost of USD 4.24 million for each incident. This is the highest cost recorded in the last 17 years of this report being done. Real-world analyses of global data breaches of more than 500 companies show that the cost of each incident has been increasing by 10 per cent each year.
One of the key reasons for an increase in such security breaches is weak passwords, especially those that are constantly reused. As a measure to combat this, Salesforce has made it necessary for all organizations to include Salesforce Multi-Factor Authentication (MFA) to access their products. This has to be enabled by February 1st, 2022.
Understanding MFA and MFA for Salesforce
Research by Forrester Research has made it clear that MFA can arrest up to 96 per cent of bulk phishing attempts, and all bot threats. MFA is among the easiest to implement and enjoys the highest efficacy in improving login security. MFA is simple in the way it works – users have to authenticate their identities when trying to access data with not one but two or more evidence pieces, each time they log in. While one factor will be something the user will know of – the standard user name and password combination, there are other authentication methods. These can be an authenticator app or a security key.
By creating a system where a user has to go through multiple authentication steps to access data, the data environment becomes harder to get to via unauthorized access. Even if passwords are stolen, the chances of attackers being able to figure out what the secondary factors are going to be are negligible.
MFA for Salesforce is currently available for its products that are built on the Salesforce platform, for the B2C commerce cloud, marketing Cloud-Datorama, Marketing Cloud – Email and Mobile Studio, and the Journey Builder. The MFA option is available at no additional cost. Salesforce already provides support for single sign on (SSO). If your company has SSO for the Salesforce products in use, along with MFA configured, you are ready to go.
To help with the implementation of MFA, Salesforce provides a range of tools and mechanisms such as reports and dashboards that monitor usage. Users who may have lost or cannot recall their verification methods can be provided with alternate temporary ones.
Verification Methods for Salesforce MFA
With Salesforce, MFA goes a step further in the authentication process. Once users input their user names and passwords and clear that stage, they will be prompted to proceed with another verification method. What this verification method is, will depend on the Salesforce product that is in use. It can be one or all of three possible methods.
- Salesforce Authenticator App
- Third-Party TOTP (time-based one-time passwords) Authenticator App
- U2F or WebAuthn Security Key
Salesforce MFA verification methods do not include e-mails, SMS texts, or phone calls. The logic is simple – e-mail log-ins can easily be compromised and interception of texts and calls is easy to do. Hackers will find it much more difficult to get their hands on a physical phone or key than they will to get into an e-mail account or hacking into a phone.
Let’s take a look at how each of the three verification methods works:
Salesforce Authenticator App: This free method is a mobile app that works both on Android and iOS and integrates into your existing log-in process. Users can easily install it and connect it to all their Salesforce accounts. Once they log in, they receive a push notification on their mobiles. On tapping it the user will see the following details:
- What action needs approval
- Who (which user) is requesting this action
- The service requesting the action
- The device that the user is accessing and requesting information on
- The location of the request
With these details, the approving authority user will be able to take an immediate decision to approve or deny the access request. If they are working out of a trusted location, this is a step that can also be automated. Should the user not have connectivity, a six-digit TOTP code generated by Salesforce Authenticator can be used.
In terms of user experience, Salesforce Authenticator ensures:
- Quick delivery of push notifications to phones, speeding up the verification process.
- Real-time details can be viewed to ascertain request credibility.
- Automation of the process from trusted locations is a feature offered.
- Suspicious requests can be denied with one tap.
- TOTP codes can be generated where connectivity is an issue.
Third-Party TOTP Authenticator App: Salesforce now supports third-party authenticator apps which are available for varied operating systems. The key benefit is that they do not require Internet connectivity. These can create temporary codes which are formulated based on OATH TOTP algorithms. With this method, the user will receive a code from the TOTP authenticator app which has to be entered in the Salesforce log-in process. The way TOTP authenticator apps work is that it creates temporary usable codes that are based on a key that is known only to the user, to Salesforce and for the present time. Each code is valid only for half a minute before a new one gets created. These authenticator apps will be able to generate codes even without an Internet connection on the phone. An advantage is that if users already utilize a TOTP app for use – personal or business – it can be triggered and used for Salesforce log-ins too. There are some considerations to remember when using TOTP:
- A mobile device is required.
- Since you are manually entering codes, the chances of an error are possible.
- If the mobile clock is not in sync with Salesforce, invalid codes can be generated.
Security Keys: This is a verification method that is generally used in case there is no mobile device in play or if they are not allowed on work sites for security reasons. This security key is a physical device, small and with no codes to enter or need for installation. These devices can be USB or Lightning or NFC devices (though NFC is not supported on products built on Salesforce platforms) that work on U2F and WebAuthn protocols. All that is needed is that the user connects the key to the computer and presses a button on the key to verify themselves. Based on the kind of Salesforce product you are working with, security keys work with FIDO U2F and FIDO2 WebAuthen. Both of these have strong public-key cryptography that protects against attack strategies such as man-in-the-middle or malware. Here, the security keys will need to use a supportive browser as a connector between the key and Salesforce. The user experience is smooth and fast, connectivity is not needed and they are not battery operated. There are some considerations to keep in mind:
- It requires browser support (U2F requires a limited amount).
- The key can be left unsupervised and plugged in all the time.
- It is a significant operational cost that needs to be bought, stocked, and distributed.
Benefits of Using MFA Verification Methods
MFA has an integral role to perform in information security. It protects an organization’s data from any potential threats. It keeps a constant vigil on employee accounts and makes things extremely difficult for hackers. Should users lose their login credentials or end up exposing them by accident, MFA protects against any misuse. Here is a look at 7 key benefits MFA provides:
Additional Layers of Security Compared to 2FA: MFA has the advantage of ensuring additional layers of security when compared to standard Salesforce two-factor authentication. Any company can choose to make identity authentication mandatory for both employees and clients, by utilizing a password, TOTP, or authenticator. This ensures absolute certainty in end-user verification. Such multiple security layers are the best way to ensure that those people seeking access are actually who they say they are. Even if one of the identities is hacked into, the next level will not be accessible to the perpetrators. It is essential therefore that companies that store vast amounts of consumer information opt for MFA. It’s a simple way to build and sustain client trust.
Preventing Identity Theft: MFA is an important way to protect a company’s data, particularly of its consumers, from any form of identity theft. With MFA, traditional security measures of user names and passwords are further supplemented with protection. While cracking a user name and password is not too difficult, being able to get a TOTP is not, since it is received via an SMS or phone call. Two forms of information are required and MFA helps with the additional layer of protection.
MFA Helps with Regulatory Compliances: Bringing in MFA is many times an important step to being compliant with industry regulations. In the case of PCI-DSS, the implementation of MFA is mandatory in specific scenarios to prevent unauthorized access to systems. So even in the case of application updates that may have unnoticed consequences, MFA will ensure that it does not harm the data in any way.
Ease of Implementation: MFA is inherently a simple protocol and does not in any way intrude into the digital space of an organization. It simply works along with it. MFA offers an intuitive interface that makes it simple for any user to master in a short period.
MFA is Compliant with SSO Solutions: MFA is now an industry-compliant protocol that comes with SSO solutions. It eliminates the need for multiple complex passwords for different applications. Secondary authentication combined with SSO ascertains consumer identity and eliminates any risk of data loss arising from losing a password. A significant amount of time is saved and security is enhanced.
High-End Security with Remote Access: A technique that cybercriminals employ when trying to break into a database is to make an attempt during remote usage by a worker. MFA combined with an SSO solution makes it additionally difficult for hackers to break into. MFA effectively blocks such attempts and users. It goes a step further to report these attempts to the IT department of the company. Actions can then be taken to block such fraudulent users. Considering the companies work on an open network, the danger of password theft is real, through several methods. With MFA, all these concerns will be addressed and data loss is prevented.
A Strong Cybersecurity Solution: 2FA or MFA protocols are tough for hackers to break into. Bringing in additional measures of verification such as TOTP, Authenticators, etc. hackers will find it find it increasingly difficult to crack through multi-layered passwords and security protocols. As an additional layer MFA works well.
Things to Remember When Rolling out MFA
As with every new protocol, there is an ideal path to the implementation of MFA to ensure a company benefits the most from it. Here is a step-by-step approach.
Setting the Base: Take a look at your business and evaluate which of the three verification methods available are best suited to your organization and your users’ needs. Make a detailed inventory of users, their dynamic roles, and the kind of permissions needed to identify who your privileged users are (you will want to prioritize them). This will help you determine how much of an effort is going to go into setting up MFA for your organization. Have a roadmap in place for the rollout of MFA, management changes, implementation of MFA, its testing, and any user support strategies you believe will be needed.
The Actual Roll Out: In the run-up to the roll-out make sure to begin all change management activities and prepare all your users for the implementation of MFA. Your support team will need the training to create a secure access recovery process and to handle the various MFA issues that may arise. With this done, you can now distribute verification methods to your users and enable all their interface logins. Make help available for users to register and log in with the verification method.
Managing MFA After the Roll Out: It is important to continuously maintain a system for feedback and monitoring of usage on a range of metrics to ensure that all your users are effectively utilizing MFA. Provide ongoing support operations and help users with any authentication issues they may have. This will also help with your efforts of optimizing your organization’s general security strategy.
What Your Road Map Must Include
For the successful rollout of your MFA program, your road map needs to cover certain aspects. Here is a look at the important elements:
The Rollout Strategy: Examine and find out who in the organization requires MFA the most. The best way to go about this is to use a pilot group to test out your rollout processes and iron out all the kinks along the way. The top of your priority list should be administrators and privileged users. Figure out whether you would like to rollout MFA for the entire group at one go or make the system live gradually.
Change Management Measures: Open communication with all users is key to helping implement MFA well. Well before implementation, begin to build up awareness and make sure you have user buy-in right from the get-go. Your awareness campaign can be built with presentations and a range of promotional approaches. Make sure to train all users in advance on MFA concepts, how to get them, and how to log in with the various verification methods you have chosen. Make sure that you have all registration and basic troubleshooting information handy for distribution before the launch day.
Create a Support Team: Every new protocol requires a strong support team. To put this in place, establish strong policies and systems for all operations. These should be inclusive of helping users retrieve verification methods that they have lost or forgotten. Ensure that your support team is well trained in all aspects of setting up, troubleshooting, and recovery measures that may be needed. Make sure that your onboarding protocol is updated to provide MFA to all newcomers as soon as they are inducted. MFA is among the simplest, easiest, and most effective ways to ensure that your data security issues are well addressed. With the world opening up in the aftermath of the pandemic, more people are returning to offices, even while others may still be working from home. Ensuring that data security is top-notch across the board is essential and Salesforce MFA can play a major role in this.