Skip to main content

Explore Multi-Factor Authentication and SSL Certificates

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the goals of unified authentication (UA).
  • Explain the factors of multi-factor authentication (MFA).
  • Explain the principle of least privilege.

  • List three ways you can check SSL certificate validity.

Implement Strong Security Measures

As a victim of credit card theft, Linda Rosenberg, Cloud Kicks admin, understands the value of strong security measures to protect her company’s business and customers. One of the simplest, most effective ways to prevent unauthorized account access and protect storefront and shopper data is to deploy multi-factor authentication (MFA).

A secure socket layer (SSL) certificate is another strong (and required) technology. An SSL certificate enables websites to move from hypertext transfer protocol (HTTP) to hypertext transfer protocol secure (HTTPS). An SSL certificate is a data file hosted in a website’s origin server that makes SSL/transport layer security (TLS) encryption possible. It contains the website’s public key and identity, along with related information. Devices attempting to communicate with the origin server reference this file to obtain the public key and verify the server’s identity, while the private key is kept secret and secure.

What’s Multi-Factor Authentication?

MFA adds an extra layer of security to the login process by requiring users to verify their identity with two or more pieces of evidence (or factors) to prove they are who they say they are. These factors can be something the user knows, such as the username/password combination, plus something they have, such as the code from an authentication app on a mobile device. Other factors include time, location, and something the user is, such as a fingerprint. A familiar example is when you withdraw money from an ATM. Your ATM card is something you have and your PIN is something you know.

With MFA, users authenticate with multiple factors such as time, location, and something the user knows.

MFA can prevent some of the most common types of attacks, such as phishing and malware infections. Usernames and passwords alone don't provide enough protection because it’s too easy for bad actors to exploit weak or reused passwords. MFA ties user access to multiple, different categories of authentication, making it a lot harder for common threats like phishing attacks or credential stuffing to succeed. Even if a hacker manages to steal a user’s password, the odds are low that they’ll also be able to guess or hack the code from an authentication app.

Salesforce provides centralized B2C Commerce Business Manager and Account Manager user logins for secure MFA access in Account Manager.

  • Users only need to remember and maintain one password for all Business Manager instances.
  • MFA is part of the B2C Commerce login experience and can’t be turned off.
  • Admins can set up role mapping, allowing them to more quickly and easily grant Business Manager roles and permissions to new users.
To access Account Manager or Business Manager, you must have a B2C Commerce implementation. In this module, we assume you are a B2C Commerce administrator with the proper permissions to perform these tasks. If you’re not a B2C Commerce administrator, that’s OK. Read along to learn how your administrator would take these steps in a staging instance. Don't try to follow our steps in your Trailhead Playground. B2C Commerce isn't available in the Trailhead Playground. If you have a staging instance of B2C Commerce, you can try out these steps in your instance. If you don't have a staging instance, ask your manager if there is one that you can use.

Verify Your Identity with Multi-Factor Authentication

When you log in, Account Manager asks you to verify your identity using a supported verification method. If you have multiple verification methods registered, Account Manager opens the last one that you used. If you want to verify your identity with another registered verification method, just choose another one.

Depending on the MFA verification method settings for an organization, you can choose between these types of methods to login to a B2C Commerce application.

Method

Use Case

Instructions

Salesforce Authenticator

None

Account Manager sends a push notification to your mobile device. When you get the notification, open the app, verify the activity details, and tap Approve on your mobile device.

Security key

You registered a FIDO U2F or WebAuthn (FIDO2) compatible security key for your account.

At the prompt, insert your security key into the appropriate port on your computer or mobile device. If it has a button, touch the button. Security keys aren’t a biometric device, even though some have a button that requires your touch to activate it.


Note: The Salesforce Authenticator App must be on a secure mobile device. Secure the device by using PIN/FaceID/TouchID, as supported by the device.

Third-party authenticator app

You connected a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, to your account.

You can use any authenticator app that generates a temporary code called a time-based one-time password (TOTO). The code value changes periodically. Account Manager asks you to insert the temporary code and click Verify.

Register Your MFA Verification Methods

The first time  log in, you’re asked to register a verification method for MFA. The registration process connects the method you choose to your Account Manager account. You must supply a registered verification method each time you log in. You can register additional methods at any time from your account information in Account Manager. 

Salesforce recommends that you register two or more methods so that you have a backup if you forget or lose your primary method. You can register different types of methods (such as Salesforce Authenticator and a security key) or two instances of the same method type (such as two security keys or two different third-party TOTP authenticator apps).

Connect Salesforce Authenticator to Your Account for Identity Verification

The Salesforce Authenticator mobile app is a fast and easy verification method for multi-factor authentication (MFA) logins. Register the app to connect it to your Account Manager account. Here’s how to do it

  1. Download and install the Salesforce Authenticator app (version 3 or later) for the type of mobile device you use.
    • iPhones: get from the App Store
    • Android devices: get from Google Play
  2. Connect one of these ways based on your organization’s MFA verification method settings.
    • Salesforce Authenticator is required at your next login and is the only verification method allowed: Click REGISTER DEVICE.
    • Salesforce Authenticator or another verification method is required at your next login: Click Salesforce Authenticator.
    • You’re logged into Account Manager and you can register via multiple MFA verification methods: Click Add next to Multi-Factor Verification and select Salesforce Authenticator.
  3. Open the Salesforce Authenticator app on your mobile device. If you’re opening the app for the first time, you see a tour of the app’s features.
  4. In the app, tap Add to add your account.
    The app generates a unique two-word phrase.
  5. In your browser, enter the phrase in the Two-Word Phrase field.
  6. Click Connect.
    If you previously connected an authenticator app that generates verification codes to your account, you sometimes see an alert. Connecting a new version of the Salesforce Authenticator mobile app invalidates the codes from your old app. When you need a verification code, get it from Salesforce Authenticator from now on. In the Salesforce Authenticator app on your mobile device, you see details about the account you’re connecting.
  7. Tap Connect in the app to complete the account connection.
    To help keep your account secure, Salesforce sends you an email notification when a new identity verification method is added to your Account Manager account.

After you connect the app, you get a notification on your mobile device when you do something that requires identity verification. When you receive the notification, open the app on your mobile device, check the activity details, and respond on your mobile device to verify.

If you are notified about an activity you don’t recognize, use the app to block the activity. You can flag the blocked activity for your account administrator. The app also provides a verification code that you can use as an alternate method of identity verification.

Verify Your Identity with a TOTP Authenticator App

When you register a third-party authenticator app, such as Microsoft Authenticator or Google Authenticator, as a verification method for MFA logins, the app generates a verification code called a time-based one-time password (TOTP). Here’s how to register a third-party authenticator app.

  1. Download the supported authenticator app for your device type.
    You can use any authenticator app that supports the TOTP algorithm (IETF RFC 6238).
  2. Connect one of these ways based on your organization’s MFA verification method settings.
    • A TOTP Authenticator App is required at your next login and is the only verification method allowed: Proceed to the next step.
    • A TOTP Authenticator App or another verification method is required at your next login: Click One-Time Password Generator.
    • You’re logged into Account Manager, you can register multiple MFA verification methods, and you can connect a TOTP Authenticator App in your Account Information: Click Add next to Multi-Factor Verification and select One-Time Password Generator.
  3. Using the authenticator app on your mobile device, scan the QR code. Alternatively, click I Can’t Scan the QR Code in your browser. The browser displays a security key. In the authenticator app, enter your username and the displayed key.
  4. In your browser, enter the code generated by the authenticator app in the Verification Code field.
    The authenticator app generates a new verification code periodically.
  5. Enter the current code.
  6. Click Connect.
    To help keep your account secure, Salesforce sends you an email notification when a new identity verification method is added to your Account Manager account.

Register a Security Key for WebAuthn Identity Verification

You can register a FIDO U2F or WebAuthn (FIDO2) compatible security key as a verification method for multi-factor authentication (MFA) logins. To verify your identity, insert your security key into the appropriate port on your computer or mobile device. You can register the same security key with multiple service providers and multiple Salesforce orgs and accounts. You can also register one key per account.

Have your security key in hand so you’re ready to insert it when prompted. If you wait too long, your registration attempt can time out. Here’s how to register a security key.

  1. The first step depends on your organization's MFA verification method settings.
    • A security key is required at your next login and is the only type of verification method allowed: Proceed to the next step.
    • A security key or another verification method is required at your next login: Click Security Key.
    • You’re logged into Account Manager, registering multiple MFA verification methods is an option, and you can connect a security key in your Account Information: Click Add next to Multi-Factor Verification and select Security Key.
  2. At the prompt, insert your security key into the appropriate port on your computer or mobile device. If it has a button, touch the button.
    Security keys aren’t a biometric device, even though some have a button that requires your touch to activate the device.
  3. Click Continue to dismiss the confirmation message.

You can now use this identity verification method. Your security key generates the required credentials, and the browser passes them to Salesforce to complete the verification. To help keep your account secure, we send you an email notification when a new identity verification method is added to your Account Manager account.

Remove Verification Methods for Multi-Factor Authentication

Here’s how you remove or replace an MFA verification method, from your Account Manager account.

  1. Log into Account Manager.
  2. Click Account Information.
  3. Under Multi-Factor Verification, click the trash bin icon of the method you want to remove.
    Account Manager asks you to confirm that you want to remove the method.
  4. Click Remove.

If you lose your verification method and don’t have a registered backup method, contact your account administrator to restore access to your account.

Linda likes that she can link Account Manager accounts to Salesforce accounts that are managed in Salesforce Identity, per her organization's settings. This makes login a lot easier for Account Manager users. Here’s how you do it.

  1. In a web browser, go to https://account.demandware.com/. (You must have an Account Manager account.)
  2. Enter your username (email address).
  3. Click LOG IN.
  4. Enter your password.
  5. Click LOG IN.
  6. Verify your identity with MFA.
    If you’ve already registered an MFA verification method, provide the method to finish logging in. If you haven’t registered a method, you’re prompted to do so before you’re able to log in. If Salesforce hasn’t enforced MFA for your organization yet, and depending on the MFA settings implemented by your administrator, this step might not apply.
  7. Click LINK WITH A SALESFORCE ACCOUNT.
    You are redirected to Salesforce. After you successfully log in to Salesforce, you are redirected back to Account Manager.
    Caution: Linking your Account Manager account with a Salesforce account might change your Account Manager user name to the email address of your Salesforce account. The new Account Manager user name is shown on the confirmation page. If you don’t want your Account Manager user name changed, cancel this procedure and contact your account administrator.
  8. Click CONFIRM to finish linking accounts.
    New users must log in to Account Manager with MFA to complete linking their Account Manager account with Salesforce Identity. See Register Verification Methods for Multi-Factor Authentication for more details.

If a user is reset or deleted, their link between Account Manager and Salesforce Identity is removed. If they are reactivated or restored, they must log in to Account Manager with MFA to restore the link to Salesforce Identity.

You can enable MFA by user role for each of the systems. Take a look at the Salesforce B2C Commerce Roles & Permissions Trailhead module for details.

SSL Certificates

It’s important to maintain valid SSL certificates. If a certificate expires, shoppers can’t shop. Each site requires this data to validate against a certificate.

  • The hostname that it covers, such as www.cloudkicks.com or *.mycloudkicks.com
  • A certificate authority, also known as an issuer, such as Verisign or DigiCert
  • A validity period (to and from dates)

Check the Validity

Linda can check a certificate’s validity in a browser or in Business Manager.

Here’s how she checks it in a browser.  

  1. Open a browser.
  2. Navigate to the storefront.
  3. Click the lock icon beside the URL field.
  4. Click Certificate to view validity details.
  5. Review these certificates details:
    • Issued to
    • Valid From/To dates
    • Subject Alternative Names

Here’s how she checks it in Business Manager. 

  1. Open Business Manager.
  2. Select Administration > Sites > Embedded CDN Settings.
  3. Click on a zone and then Settings.
  4. In the zone settings, check the Expires On field to confirm the date by which you must renew your certificate.

Akamai Connector or Stacked CDN

Linda uses a stacked CDN or the Akamai Connector, so she must take additional steps to deploy and manage SSL certificates.

Configuration

Steps

Stacked CDN
  • Akamai can connect to the instance even if certificates are invalid, yet a certificate must be deployed.
  • Other CDN providers have their own process. Work with them to determine the appropriate steps.
  • Deploy a valid certificate when possible.

Akamai Connector
  • Akamai uses its own certificate and they perform SSL renewal automatically.
  • You don’t need to deploy a certificate on Business Manager.

Business Manager Custom Domains

Business Manager custom domains require valid SSL certificates. Linda must open a case to renew them so that the support team can help install new certificates. She reviews a support knowledge article (credentials required) for details.

If the Business Manager staging instance has a custom domain, it requires a certificate. 

The renewal of a staging SSL certificate requires a support case.

Private Keys and Certificates

Valid private keys (stored in a keystore along with required root or intermediate certificates) help ensure uninterrupted connectivity to backend and third-party systems. They are used for authentication to enable secure transmissions.

Here’s how you import them into your instance keystore.

  1. Open Business Manager.
  2. Select Administration > Operations > Private Keys and Certificates.
  3. Click Import or Upload a new private key or certificate.
  4. Select a file on your local machine.

A Business Manager alert displays when certificates are about to expire. Meanwhile, Linda checks them monthly to confirm their validity. Here’s how she does it.

  1. Open Business Manager.
  2. Select Administration > Operations > Private Keys and Certificates.
  3. Review the valid from and to dates and the status.

Next Steps

In this unit, you learned about two great security technologies, MFA and SSL certificates. Next, learn how to check your embedded CDN.

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now