Tips To Increase MFA Adoption in a Multi-Cloud Environment

By

You may have seen the announcement we recently made that beginning on February 1, 2022, Salesforce will start requiring all customers to implement multi-factor authentication (MFA). If so, you already know that MFA is one of the easiest, most effective ways to help prevent unauthorized account access and safeguard your Salesforce data. And in case you’re wondering, MFA is available at no extra cost for all Salesforce products.

Now that you’re caught up on the requirement, let’s talk about what that means for you as an admin — and your users. Driving user adoption for MFA may have its own set of challenges for admins with multiple Salesforce products. Since we know that a large portion of Salesforce customers have more than one product, we wanted to offer some suggestions of how to accomplish this exercise in change management. In this post, we’ll focus on the different ways to drive user adoption in a multi-cloud environment.

To enable MFA for direct logins or SSO — that is the question.

Before we dive into user adoption tactics, let’s do a quick overview of your options.

Option 1: Admins can enable MFA within each of their Salesforce products. Doing so will prompt your users to satisfy the MFA challenge each time they log in to one of your products.

Option 2: Many customers may find it easier to connect all of their Salesforce products to single-sign on (SSO), which would allow your users to log in one time, using the SSO interface. Just remember that if you choose to go the SSO route, Salesforce requires customers to also implement MFA for their identity provider.

For complete information about the requirement, visit the Salesforce Multi-Factor Authentication FAQ.

How can admins drive MFA adoption across different Salesforce products?

This may seem obvious, but arguably the most important early decision an admin can make in this process is to choose a verification method that works across all of your products. Verification methods that satisfy the MFA requirement include the Salesforce Authenticator app, standards-based TOTP apps, and security keys (see a more detailed explanation of what those are in our MFA Quick Guide). Once your users are set up with a verification method that works for any Salesforce product (not to mention other platforms you might be using), you remove any potential roadblocks associated with the user login experience.

It’s also important to think about the user experience if you enable MFA for multiple products. By creating a master rollout plan and timeline that combines all of your products, rather than rolling out each one individually, it reduces confusion for users. It’s always best to just dive in rather than postpone portions of the rollout.

Once you’ve selected your verification method(s) and your rollout plan is ready, a great way to drive MFA adoption is to run employee awareness campaigns. These campaigns should clearly communicate the timeline and include all of the change management information your users will need for all impacted products. You can even get creative and host competitions for users to see who can be among the first to use MFA!

Is it important to track user adoption?

Maximizing your visibility with robust reporting can be one of the best tools for driving user adoption. How are you supposed to know if you’re hitting adoption benchmarks if you don’t have accurate reporting?

Luckily, Salesforce offers a variety of ways to track MFA adoption in some of our products. This handy metrics blog post goes into detail about metrics for Salesforce Lightning products, and you can also reference the list below which includes options for tracking adoption in Salesforce Lightning products and Marketing Cloud.

  • Lightning Usage App: Use the Login Metrics tab in the Lightning Usage App to monitor logins in your org. See how many users are logging in with your org’s various identity services, including MFA and SSO.
  • Salesforce Optimizer: In Salesforce Optimizer, you can identify any users who are logging in without MFA, and then take actions to enable MFA for all users.
  • Identity Verification History report: Use Identity Verification History to monitor and audit up to 20,000 records of your org users’ identity verification attempts from the past 6 months.
  • MFA Dashboard (via the AppExchange): A comprehensive dashboard for monitoring, auditing, and reporting on MFA adoption and usage in your Salesforce org.
  • View MFA events in Marketing Cloud: After you enable MFA for your Marketing Cloud tenant, you can review a log of all registration and verification attempts. This log includes enablement and revocation actions and authentication attempts. You can view all events in a tenant.

We’ve given you some good ideas about how to drive MFA adoption for your multi-cloud environment. If you’re still looking for more, check out the Salesforce Admins Podcast with Mat Hamlin about MFA and SSO the next time you’re out for a stroll.

More resources

Looking for more content and resources on security? Check out our Security for Admins page to dive in.

Core responsibilities of a Salesforce Admin

Core Responsibilities of a Salesforce Admin: Your Blueprint for Success

As admins, you hold the keys to success for your users and companies to get the most out of Salesforce. You have the unique opportunity to build and manage trusted solutions that drive productivity and innovation through five core admin responsibilities: security, user management, data management, analytics, and a new core responsibility: product management.  The […]

READ MORE
User management enhancements Winter '25

User Management Enhancements | Winter ’25 Be Release Ready

Winter ’25 is almost here! Learn more about user management and check out Be Release Ready to discover more resources to help you prepare for Winter ’25. We’re continuing to innovate in Setup starting with user access and user management. We have several exciting enhancements in store for Winter ’25–many thanks to your feedback and […]

READ MORE
Troubleshoot user access with SOQL

How to Troubleshoot User Access with SOQL (Beginner Friendly)

Awesome Admins, we know that troubleshooting user access is a common task. You’re frequently asked questions like “Why can Jane access this field, but John can’t?” or “Why can John view this record when he shouldn’t be able to?” In Summer ’24, we introduced helpful summary views for users, public groups, permission sets, and permission […]

READ MORE