Blaze and Astro standing on a field holding a security shield.

Get Ready for Multi-Factor Authentication: Plan for Auto-Enablement

By

Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That requirement went into effect on February 1, 2022. And now? MFA auto-enablement for Salesforce orgs is on the horizon! But don’t worry, this post will help you navigate what’s involved so you and your users are prepared.

This change affects how your users log in, so let’s do a quick review of what to expect. If you’ve already satisfied the MFA requirement, thank you! But keep reading because there’s one last consideration that may apply to your org.

What exactly is MFA auto-enablement?

The term may be a little ponderous, but the concept is pretty simple. Basically, it’s when Salesforce turns on MFA in a customer’s org on their behalf.

Beyond the basics, we’re going to use the Release Update mechanism–specifically, the MFA Auto-Enablement Release Update–to take this action. When the update goes into effect for an org, it turns on the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting. Hopefully, the setting name is self-explanatory, but to be safe: The setting acts at the org level to enable MFA for all users who log in with their username and password.

The MFA org setting on the Identity Verification page in Setup.

Salesforce is applying the MFA Auto-Enablement Release Update for direct logins to all production orgs, even orgs that already satisfy the MFA requirement and those that have single sign-on (SSO) set up for Salesforce access. Why? Because the org-level MFA setting ensures that all direct logins get MFA. And it simplifies ongoing maintenance. Adding new users? Have some users who occasionally bypass SSO and log in directly? You don’t have to remember to enable MFA in these scenarios because the MFA org setting has you covered.

What to expect when MFA is auto-enabled for your org

Better security! More peace of mind! But you’d probably like some specifics, so here you go.

  • All users who log in directly with a username and password will also need to verify their identity with an MFA verification method, such as Salesforce Authenticator or a security key.
  • If a user hasn’t already set up a verification method, they’re guided through the process to register one the next time they log in. But if users aren’t quite ready for this step, there’s a 30-day grace period after auto-enablement occurs where they can skip registration and log in without MFA.
  • If you’ve assigned the Multi-Factor Authentication for User Interface Logins user permission to some users and they’re already logging in with MFA, no worries. They won’t notice any changes.
  • Also not to worry–logins to your org via SSO aren’t affected.

If you need more time to prepare for MFA, Salesforce Admins can turn off the MFA org setting after auto-enablement. But this is temporary. Salesforce is enforcing MFA for all customers in the future and at that time the MFA org setting will be re-enabled and the option to turn it off will be removed.

An important step before your org is auto-enabled, even if you already satisfy the MFA requirement

There are several user types and use cases that are exempt from the MFA requirement. Most are automatically excluded from MFA when an org is auto-enabled. But there are a few exempt use cases that must be manually excluded by a Salesforce Admin before the MFA org setting is applied. To see if this step applies to your org–even if you’ve already enabled MFA for your users–take a look at Exclude Exempt Users from MFA in Salesforce Help.

The MFA auto-enablement schedule

We’re auto-enabling MFA over the course of several releases in 2023. For orgs included in the first phase, the MFA Auto-Enablement Release Update is available in Winter ’23 and then takes effect when the Spring ’23 release rolls out. Other orgs will get the MFA update in a later release.

Is your org included in the first phase? To find out, keep an eye on the Release Updates node in Setup. If you see the MFA Auto-Enablement Release Update now, you know that Salesforce is auto-enabling your org in Spring ’23. (Keep in mind that it can take several weeks after the Winter ’23 release completes for the MFA update to appear on the Release Updates node.)

If you don’t see the MFA update, check back after the Spring ’23 release completes. If the MFA update is listed at that time, your org will be auto-enabled in Summer ’23. And so on and so forth.

Don’t wait! Roll out MFA your way

If MFA isn’t fully implemented for your org yet, you may be inclined to wait and have Salesforce do it for you. But here are a few plusses for doing your own implementation as soon as possible.

  1. The longer you wait, the longer you’re missing out on the valuable extra protection against cyberattacks that you get with MFA.
  2. Controlling your own rollout plan and schedule ensures you can avoid the disruptions to your users and your business that could occur when Salesforce auto-enables MFA. You can turn on MFA at a time that doesn’t conflict with other important initiatives at your company. And you can make sure your users get all the preparation they need in advance of going live.

Turning on the MFA org setting takes just a few minutes. And the MFA Rollout Pack gives you a treasure trove of templates for communications, training, and user onboarding materials to prepare your users. So why wait?!

Resources

Join the conversation anytime in the MFA – Getting Started Trailblazer Community. And tune in next month for more thoughts and best practices on preparing your users for MFA.

AI for Admins: What You Need to Know to Make Einstein Bots a Success

Einstein Bots interact with your customers quickly and accurately with automation and artificial intelligence (AI) capability. In terms of AI initiatives, the biggest challenge is measuring business impact. One reason most AI projects fail is that people are looking at “model performance” instead of business value, such as how much money, in either additional revenue […]

READ MORE
Trees and greenery next to Cloudy holding a megaphone.

The Future of User Management

This post is a follow-up to a packed session we held at #DF22 called “The Future of User Management.” We want to provide a summary of the session for those of you who weren’t able to get into the session due to room capacity or weren’t able to attend Dreamforce in person. Our session at […]

READ MORE

Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?

SHARE YOUR IDEA