The Salesforce Admin is also the trusted security advisor. Security is our #1 priority at Salesforce, so we’ve made it easy for you, as a Salesforce Admin, to be a security superhero for your organization with Two-Factor Authentication.
You have the power to customize your Salesforce org in many ways, including user authentication. User authentication includes password settings and network settings, which are both found in the Setup menu. One of your jobs as an Admin is to make your end users successful, which includes protecting their data with strong authentication requirements.
How secure does user authentication need to be? User authentication strength in Salesforce spans a wide spectrum because it depends on how you configure the org. The definition of ‘super secure’ means different things to different people. With new best practices and technologies emerging every day to help you improve your security, it’s hard to keep track and understand what you really need to do to keep your org secure. Salesforce security superhero, Josh Alexander, (who spoke on our webinar about Two-Factor Authentication) helped us organize security measures into three buckets: Phishing Target, On Par, and Superhuman Sheild.
PHISHING TARGET: Simple Password Protection
The absolute minimum protection would be to have a password. In fact, this is a requirement in all Salesforce Orgs. As we know, that’s just not enough. An org at this level has no password policies in place that address password strength & complexity, length, and lifetime. End result? All users have their password set to “password”!
ON PAR: Password Policies
Most Orgs have some password policies in place and that is huge! Orgs that are “On Par” enforce a minimum password length, special characters, and require a new password every 90 days.
A great to way to check if your specific password policies are on par is to use the new Salesforce feature Health Check. This is an easy-to-use tool that will make you a security superhero at your company and give you the expertise to work with your IT department. It compares your password policies to Salesforce global standards and let you know if you can become more secure or if your company meets the standard best practices.
SUPERHUMAN SHIELD: Two-Factor Authentication or 2FA
Want to become the ultimate superhero and create a superhuman shield around your org? You should be looking at Two-Factor Authentication. While passwords are great and we’ve come a long way in complexity since the first use of passwords, hackers have also come a long way in figuring out how to crack the code. That means we need a second way to authenticate our end users.
What is Two-Factor Authentication?
There are three ways to authenticate that you are who you say you are:
By requiring any two of those when your users log into Salesforce, you are enforcing Two-Factor Authentication (2FA). You can use the Salesforce Authenticator App to implement 2FA for your Orgs. You will still require users to provide something they know (a password that conforms to password policies), but also require them to provide something they have. Instead of using a ubix key or security card, they can use their phone as the second authenticator, making 2FA easily accessible to smartphone owners.
Implementing Salesforce Authenticator
In a recent webinar, Director of Product Management Josh Alexander and Principal Developer Evangelist Mary Scotton discuss security best practices and show you a demo of the Salesforce Authenticator App and how to implement it in two easy steps.
As you saw in the demo, to implement Salesforce Authenticator:
- Create a Permission Set that enables 2FA at login in system settings, and then assign that Permission Set to a user or group of users.
- At login, users who have been assigned the Permission Set will be invited to use 2FA. They will be guided through a 3-step onboarding process to download the app, connect the device, and confirm the connection.
The actual setup may seem straightforward, but the planning beforehand needs to be thorough.
As an Admin, you will need to decide how to roll this new feature out, which users will be required to enable this, how to communicate the change, and how to manage support for users having trouble. Pro Tip: Don’t skip these steps!
Are you an Admin that has already rolled out 2FA? Let us know how it’s going in the comments section!