Salesforce to Require Multi-Factor Authentication
Software company Salesforce has announced that as of February 1, 2022, it will start requiring users to enable multi-factor authentication (MFA) to access the company’s products. Salesforce has an MFA FAQ page.
This should be the norm for at least all cloud services, and really all logins. Microsoft data showed that using any form of MFA would have thwarted 99.9 percent of successful account compromises. Users are increasingly doing so with the home accounts on banking and even social media. Use of MFA allows security resources to be focused on the extremely clever 0.1 percent of attacks vs. drowning from the simple 99.9 percent.
Great move. MFA is a must in particular for systems like Salesforce working with critical data. If you try to rely on other means to mitigate attacks against other critical systems (e.g. VPNs): Stop doing stupid things like relying on geofencing. Implement a solid MFA solution now.
You should already have configured your IDP to require MFA when accessing cloud and other Internet accessible services. Where you are enabling SSO from trusted devices, ensure those devices require strong authentication, additionally disable the ability to login directly to accounts bypassing your SSO/authentication process. Read the FAQ, including the types of second factor which explicitly disallowed.
Not only is this exciting from a security perspective (I’m a huge fan of 2FA / MFA) but it’s very impressive how Salesforce is rolling this out. Take a moment to read their MFA FAQ. It’s extensive, detailed, and well thought out. Some key things I found interesting: You have to use “strong” MFA, no SMS text messages or phone calls to obtain your one time code; you have to use technologies like local mobile authentication apps. Also, and this was a bit hidden, there are legal consequences if you don’t implement strong MFA. If you somehow work your way around the requirement and your data is compromised, you and NOT Salesforce are most likely legally responsible for any harm to your data. Is MFA perfect? Absolutely not. Will bad guys figure out ways around MFA? Absolutely. Security is ultimately about compromises and managing risk to an acceptable level. With passwords / accounts being a top two driver for breaches globally for the past three years (VZ DBIR), this is a step most organizations should be taking.
MFA should be enabled everywhere. Hopefully this move by Salesforce, given their user base, pushes more adoption.