MFA (Multi-Factor Authentication) in Salesforce
MFA is a special security feature provided by Salesforce that provides an extra layer of protection against suspicious or unauthorised logins. After enabling the MFA in your org the users required additional verification apart from their username and password.
Salesforce Supports the Following Types of Verification Methods for MFA:
- Salesforce Authenticator mobile app
- Third-Party authenticator apps
- Google Authenticator
- Microsoft Authenticator
- Security keys
- Yubico’s YubiKey
- Google’s Titan Security Key
Setting Up MFA in your Salesforce Org
Firstly you have to create a permission set to implement the MFA in your org.
Create a new Permission set
To Implement the MFA in Salesforce org, firstly you have to create a permission set.
Don't forget to check out: Key Management in Shield Platform Encryption | Salesforce Security Guide
Steps To Create Permission Sets:
Step 1: From Setup, enter Permission sets, then select permission sets.
Step 2: Click on new and fill in the required information.
Step 3: Do not select any types (license) of users for the permission set.
Step 4: Click on Save
Step 5: Go to the System Permission section and select the permission Multi-Factor Authentication for User Interface Logins. Click save and confirm the changes.
Step 6: Assign the permission set to required users from ‘Manage users’.
- Multi-Factor Authentication for User Interface Login - In MFA permission set when you checked the checkbox only for Multi-Factor Authentication for User Interface Login. Salesforce enforced the user to follow the MFA while trying to log in from the following UI:
- Login in the org from Login.salesforce.com or custom domain.
- Authorization of org using the connected app through POSTMAN (OAuth2.0).
- Login from Workbench.
- Login from the Appexchange app (which required login credentials such as: DocuSign).
Now when you try to login from the above UI, after providing the username and password it displays a screen for approval of the login from the authenticator app. At the same time, you will receive a notification on your Salesforce Authenticator app, after clicking on the approve button on the authenticator app you logged in to Salesforce successfully.
Multi-Factor Authentication for User API Login
In the MFA permission set, when you check the checkbox for Multi-Factor Authentication for User API Login then it will automatically check the checkbox for Multi-Factor Authentication for User Interface Login. For API login Users can log in with a security token or TOTP (time-based one-time password).
Effects on User Experience after Enable the MFA
After MFA is enabled for user interface logins, each user must have at least one authentication/verification method before they can log in to Salesforce org/product.
Check out another amazing blog by Arun here: Salesforce Event Monitoring Unit - Getting Started
if we enable (checked) only the Multi-Factor Authentication for User Interface Login in the permission set then it will be enforced to users for MFA(Approval on Salesforce authenticator app) only when they try to login from UI and it will not affect any API/Integration related events.
If MFA functionality is enabled in your Salesforce org, users must follow the MFA challenge every time they log in to Salesforce. This challenge applies to all logins, including logged out due to inactivity and expired sessions. The frequency of MFA challenges can’t be changed.