
Guide
The New Salesforce MFA Requirements
Overview of Salesforce MFA
In February of 2022, Salesforce started mandating that all customers enable multi-factor authentication (MFA) for their users regardless of how they access their accounts. Beginning April 8, 2024, Salesforce automatically enabled MFA for all direct logins – but not with organizations that are using Single Sign-On (SSO). Also, starting with the Summer â24 release, Salesforce will periodically notify all System Administrators in the organization until the instance is fully compliant with the MFA requirements (See MFA Advisory Timeline for more announcement details).
Enforcing Salesforce MFA
Via SSO or Authentication Scheme
If a Salesforce org uses an Authentication Scheme such as Single Sign-On (SSO) and has disabled direct login access to facilitate user access to Salesforce, by default Salesforce will not require the organization to activate SSO Multi-Factor Authentication (MFA). However, according to Salesforce’s Terms of Service, the SSO solution must incorporate MFA. It is important to note that Salesforce will not automatically activate MFA within the organizationâs SSO setup. Instead, System Administrators or Users who have Administrator capability are responsible for ensuring this feature is enabled or activated. Some SSO providers have their own MFA application (e.g. Microsoft or AWS), but the organization can also use Salesforce Authenticator (native MFA of Salesforce) to meet this security requirement.
In scenarios where a Salesforce organization enables Direct UI Login with credentials (Username and Password) alongside SSO, it is important to implement an additional layer of authentication. If the Organization is not enforcing MFA for direct login access to Salesforce, despite having MFA activated for Single Sign On, this leaves a gap for unauthorized access or entry, and does not comply with the Salesforce MFA security policy. It is important that all login methods, whether through Direct Login or SSO, are secured with MFA to ensure enhanced security.
CloudKettle suggests that to maintain access continuity in the event of Single Sign-On server failures or downtimes, it is necessary to allow at least 10% of users, or in the case of having only two, one user with System Administrator access, to log into Salesforce using the direct login interface. Additionally, it is important to note that this allocation of direct login capabilities to 10% or at least one System Administrator user must also comply with MFA= protocols.
Via Salesforce Direct Login
If the organization does not utilize Single Sign-On and solely relies on direct login methods, it is essential to require Multi-Factor Authentication (MFA) for every user login attempt. Implementing MFA for UI login access to Salesforce should not pose significant configuration difficulties. The organization must guarantee that all users adhere to the MFA protocols when accessing the platform. Non-compliance with this security policy puts the organization at risk of possible data breaches or the loss of data/records.
Exemptions in Implementing MFA
Salesforce also considers the Integration User in an organization. The System Administrator should carefully assess whether or not to enable Multi-factor Authentication (MFA) for these users. Integration Users do not have the means to authenticate their login, so MFA should not be mandatory. See this link to provide an exemption to Integration Users from MFA.
Multi-factor authentication (MFA) is currently not mandated for any Sandboxes, although Salesforce has plans to require MFA for all Sandboxes in the future (Refer to the article for specifics on this exclusion.) Although Salesforce does not require organizations to implement MFA for their Sandboxes, CloudKettle advises enabling it throughout all instances within the organization. This recommendation is due to the potential for records or data to be replicated from the organizationâs Salesforce Production instance to the Sandboxes.
Key Takeaway
As of April, 2024 Salesforce enabled MFA for all direct logins. If an org uses Single Sign-On, MFA may not be required. BUT the SSO itself should incorporate some form of MFA in order to be compliant with Salesforce’s requirements.
Are you meeting MFA/SSO Salesforce Requirements?
*This post was last updated July, 2024
Guide
The Wealth Manager’s Guide to Salesforce Financial Services Cloud
This new resource from CloudKettle provides a comprehensive guide to Salesforce’s Financial Services Cloud (FSC) […]
Get Your CopyGuide
The State of Salesforce Security 2024
See how your org stacks up against Admins and Users from across North America
Get The GuideSign up for the latest tips & news from CloudKettle