Multi-Factor Authentication Made Compulsory to Access SFDC Products!


Salesforce will begin requiring customers to enable multi factor authentication (MFA) from February, 2022 in order to access Salesforce products. From that point onwards, “all internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login.”

Multi Factor authentication has been a recommended setting for most business access for years but never has a major service provider insisted customers use it as a precondition of service. This change has profound implications: customers unable to implement MFA across their access by the set date can continue to use Salesforce without MFA at their own risk. Salesforce isn’t simply mandating MFA but making the decision not to use it as it is the customer’s responsibility as part of its terms and conditions.

In effect, Salesforce is reformulating the shared responsibility model that normally governs cloud services. The customer has certain responsibilities, while the service provider has others. Changing that for MFA is more than a tweak. Thales statistics suggest that 90 percent of cyberattacks utilise compromised credentials in some way, which if correct implies that failing to implement MFA on Salesforce is potentially shifting responsibility for almost all cyberattacks involving the service. The customers that are out of compliance could be held liable for any breaches that occur.

Technology choices

The clear message from Salesforce’s MFA FAQ is that some established methods such as SMS texts, phone calls and emails will no longer be good enough to authenticate to their platform, nor will VPN access override this requirement. Technologies such as SMS haven’t been considered secure for several years and emails were never so even though some adopted them as a cheap way to implement the second factor.

That leaves two paths – the basic MFA offered by Salesforce or using a third party provider. This could include a FIDO token supporting WebAuthn and U2F (for example offered by Thales, Google’s Titan or the YubiKey), or proprietary authentication systems such as Apple’s Touch ID/Face ID, or Windows Hello.

This is the good news about today’s MFA environment: there is no shortage of options to choose from. For most organisations, this will mean using the smartphone as the core authenticator, either running an app or using some form of biometrics or FIDO2 WebAuthn. For privileged users, this might be backed up with the gold standard of a FIDO U2F hardware token.

A popular solution for cloud applications such as Salesforce is SSO, which puts multiple services behind the front door of a single authentication interface, for example Thales’s own SafeNet Trusted Access. The disadvantage of SSO is that it relies on a single credential, hence the need to use it with MFA, and often assumes that every user can be governed by a single IAM policy. But the minute an organisation must support a lot of different use cases, that requires a more sophisticated approach to policy configuration. Not all SSO services offer this.

Thales is the only vendor that sells every option in an integrated way, including adaptive authentication, FIDO tokens, OTP tokens, pattern-based authentication, authentication apps, push authentication, all integrated with an access management system. Organisations are now embracing remote working for all users as an everyday part of their business operation. Salesforce has reminded them that securing this requires that authentication is no longer a luxury and should be used everywhere.

Idea Helix is a Salesforce Certified Silver Partner and a vlocity partner with Certified Vlocity Technical Architects. Reach out to us for more details by following us on (Facebook) or send us a note from or at