Skip to main content

Secure Your Users’ Identity

Learning Objectives

After completing this module, you’ll be able to:

  • Set up multi-factor authentication for your users.
  • Use the Salesforce Authenticator app for MFA logins.
  • Get login information about users who log in to your org.

Secure Account Access with Multi-Factor Authentication and Salesforce Authenticator

On their own, usernames and passwords aren’t sufficient protection against cyber threats like phishing attacks. An effective way to enhance the security of your login process and protect your org's data is to require that users provide additional evidence to prove their identity when logging in. Security experts call this multi-factor authentication, or MFA for short. At Salesforce, we believe MFA is so important that we require it for everyone accessing our products and services. To learn about the MFA requirement, check out the Salesforce Multi-Factor Authentication FAQ.

Note

To complete the tasks in this unit, you need a mobile device running either Android or iOS.

What Is Multi-Factor Authentication?

Sounds like a mathematical equation, right? Whether math thrills you or fills you with dread, just know that MFA has nothing to do with high school algebra. It has everything to do with making sure that your users are who they say they are.

By the way, you may be more familiar with the terms two-factor authentication or 2FA. Not to worry! While 2FA is a subset of MFA, we’re effectively talking about the same thing.

So, what exactly are the multiple factors? They’re different types of evidence that users provide when logging in to confirm their identity.

  • One factor is something users know. For Salesforce logins, that's a username and password combination.
  • Other factors are verification methods that a user has in their possession, such as a mobile device with an authenticator app installed or a physical security key.

MFA Authorization for User Logins permission set details

You might not have known what it’s called, but you’ve probably already used multi-factor authentication. Every time you get cash from the ATM, you use something you have (your bank card) plus something you know (your PIN). 

Requiring another factor in addition to a username and password adds an extra, important layer of security for your org. Even if a user’s password is stolen, the odds are very low that an attacker can guess or impersonate a factor that a user physically possesses.

Sound cool? Let’s see how it works.

How Multi-Factor Authentication Works

MFA adds an extra step to your Salesforce login process.

  1. A user enters their username and password, as usual.
  2. Then the user is prompted to provide one of the verification methods that Salesforce supports.

You can allow any or all of these verification methods.

Salesforce Authenticator
A free mobile app that integrates seamlessly into your login process. Users can quickly verify their identity via push notifications. We’ll talk more about this app in a bit.

Third-party TOTP authenticator apps

Apps that generate unique, temporary verification codes that users type in when prompted. This code is sometimes called a time-based one-time password, or TOTP for short. Users can pick from a wide variety of options, including Google Authenticator, Microsoft Authenticator, or Authy.

Security keys

Small physical tokens that look like a thumb drive. Logging in with this option is fast and easy; users simply connect the key to their computer then press the key’s button to verify their identity. Users can use any key that’s compatible with the FIDO Universal Second Factor (U2F) or FIDO2 WebAuthn standards, such as Yubico’s YubiKey or Google’s Titan Security Key.

Built-in authenticators

Biometric readers, such as fingerprint or facial recognition scanners, that are built into a user’s device. In some cases, built-in authenticators can leverage a PIN or password that users set up on their device’s operating system. Common examples include Touch ID, Face ID, and Windows Hello.

When Are Users Prompted for Multi-Factor Authentication?

When you turn on MFA, users are required to provide multiple factors every time they log in. As part of the Salesforce terms of service, all customers must set up MFA for user interface logins. Doing so ensures every Salesforce org is protected with adequate security from the get-go. 

To step up security even more, you can require MFA for additional circumstances.

  • When users access Salesforce APIs. To learn about configuring MFA for API access, check out the help article Set Multi-Factor Authentication Login Requirements for API Access.
  • When users access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
  • During a custom login flow or within a custom app, for example, before reading a license agreement. More on this topic later in the module.

Your Options for Turning on MFA

There are two ways you can enable MFA for your users.

Turning on MFA affects how users log in to your org, so you may want to start with a pilot program and gradually enable your users over time. 

The benefit of staggering your MFA rollout is you can limit the change management impact to select groups of users at once. That way, you can gather feedback from early groups, and then improve your rollout process for the rest of your users. And since fewer users are affected in each phase, your admins have a lower volume of MFA-related support cases to juggle at once. You can carry out this phased approach by assigning an MFA user permission to select users.

On the other hand, you may be ready to take the leap and enable MFA for all your users at once. The sooner everyone’s enabled, the sooner you’re in compliance with the Salesforce MFA requirement (hint, hint). When you’re ready to go all in, you can turn on MFA for your entire org using a single setting.

We explore both methods in this unit, and show you the benefits of each. For a demonstration, check out this video.   

Verify That the Session Security Level Is Set for MFA

Regardless of how you decide to enable MFA, you need to make sure that the right security level is associated with the MFA login method. In most production orgs, this setting is already in place. But if it’s not, it’s important to do this step before you set up an MFA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.

  1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  2. Under Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance category.

With the session security level correctly configured, you’re ready to start your MFA journey.

Turn on MFA for Select Users

Suppose you’re a Salesforce admin for Jedeye Technologies, a company not located in a galaxy far, far away. Your chief security officer has handed you a mission: Make all employees supply more than their username and password every time they log in to the company’s Salesforce org.

Start small by turning on MFA for a new Jedeye Technologies employee, Sia Thripio. You can use Sia’s feedback on the experience to make sure you have all the bases covered when you go live with everyone else at Jedeye. Start out by creating a Salesforce user for Sia and enabling MFA for her account.

Ready to Get Hands-on?

Launch your Trailhead Playground now to follow along and try out the steps in this module. To open your Trailhead Playground, scroll down to the hands-on challenge and click Launch. You also use the playground when it's time to complete the hands-on challenges.

As we mentioned, you also need a mobile device running either Android or iOS to complete some of the tasks.

Step 1: Create a User

  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click New User.
  3. For the first name and last name, enter Sia and Thripio, respectively.
  4. Enter your email address in the Email field. This setting is to get user notifications for Sia.
  5. Create a username for Sia and enter it in the Username field. It must be in email address format, but it doesn’t have to be a working email address. Make sure the email address is unique in your Trailhead Playground. You enter this username to log in as Sia later on, so we suggest making it short and easy to remember. Need ideas? Try using Sia's first initial, last name, and the current date, like this: SThripio.12202020@trailhead.com.
  6. Edit or accept the nickname value.
  7. For User License, select Salesforce Platform.
  8. For Profile, select Standard Platform User. While you’re here, deselect the options to receive Salesforce CRM content alerts. No need to clutter your inbox with unnecessary email from Salesforce.
  9. Make sure that Generate new password and notify user immediately is selected—it’s way down at the bottom of the page. Salesforce emails you about Sia’s new user because you entered your email address in the Email field.
  10. Click Save. Salesforce emails you a link to verify the user and set Sia’s password. Note: If you get an error that the username exists, create a user with a different name.
  11. Log in as Sia, and reset the password.

After you set the password, it’s time to enable MFA for Sia’s user account. 

Step 2: Create a Permission Set for Multi-Factor Authentication

Enable MFA for select users by assigning the Multi-Factor Authentication for User Interface Logins user permission. You can do this step by editing profiles or by creating a permission set that you assign to specific users.

A permission set is a collection of settings and permissions that gives users access to various Salesforce features. Let’s create a permission set with the MFA permission.

  1. If you’re logged in as Sia, log out. Log in again as the system administrator of your Trailhead Playground.
  2. From Setup, enter Permission in the Quick Find box, then select Permission Sets.
  3. Click New.
  4. Label the permission set MFA Authorization for User Logins.
  5. Click Save.
  6. Under System, click System Permissions.Setting that controls MFA for UI loginsNow you’re on the detail page for the MFA Authorization for User Logins permission set.
  7. Click Edit.
  8. Select Multi-Factor Authentication for User Interface Logins.Setting that control MFA requirement for the entire org
  9. Click Save, then click Save again to confirm permission changes.

 You’re almost there! You just need to assign the permission set.

Step 3: Assign the Permission Set to Sia’s User

For now, assign the permission set just to Sia. Later, when you're ready to roll out MFA to the next group, you can assign the same permission set to other users.

If you’re not on the detail page for your new permission set, navigate back there.

  1. On the detail page of the new permission set, click Manage Assignments.
  2. Click Add Assignments. On the list of users, select the checkbox next to Sia’s user. (If you wanted, you could assign up to 1,000 users at a time.)
  3. Click Assign.
  4. Click Done.

Great! You’ve turned on multi-factor authentication for Sia. The next time Sia logs in, she’s prompted to provide a verification method as a second factor, in addition to her username and password.

Turn on MFA for Everyone in Your Org

Let’s fast-forward: You completed an MFA pilot program for Sia and several other users in your org. Over the following months, you carefully rolled out MFA for more users, one group at a time. You’re now ready to take the final leap: requiring MFA for everyone.

You can quickly complete your MFA rollout with a single checkbox. And if you don’t need a phased approach at all, you can skip right to this step! 

Here’s the quickest, easiest way to enable MFA for everyone in your org.

  1. From Setup, enter Identity in the Quick Find box, then select Identity Verification.
  2. Select the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org checkbox.
  3. Click Save.

Yep, that’s all it takes. Everyone in your org, regardless of whether you previously assigned them the MFA user permission, is now required to complete MFA when logging in. 

At this point, you may have a burning question: What if some user accounts in my real-life org, such as test automation tool accounts, are exempt from the MFA requirement? Does this setting affect them too?

It’s true that the MFA requirement from Salesforce doesn’t apply to some types of users. If you have any exempt users, exclude them from MFA before you enable the org-wide setting you just practiced with. To learn which user types are exempt and how to exclude them, see Exclude Exempt Users from MFA in Salesforce Help.

How Users Register Salesforce Authenticator for MFA Logins

Like making an unannounced visit to a city in the clouds, it’s a bad idea to require multi-factor authentication without helping your users get at least one verification method. You probably won’t get frozen and taken prisoner, but you might get lots of calls when you least want them, like when you’re watching an epic motion picture. Fortunately, Salesforce makes it easy for you to help your users. Just have them download an authenticator app onto their mobile device and connect it to their Salesforce account. 

If users don’t download an app right away, it’s not a disaster. They’re prompted to register a verification method when they log in for the first time after you turn on the MFA requirement.

Sia Thripio, your new employee, wants to use the Salesforce Authenticator mobile app so she can take advantage of the cool push notification feature for fast authentication. Let’s see how the registration and login process works. Get your Android or iOS mobile device and pretend it’s Sia’s phone. You’re going to download the Salesforce Authenticator app and connect it to Sia’s Salesforce account.

Heads up that you’ll be jumping back and forth between two devices in the following steps. When you’re on your PHONE, you’re working as Sia in the Salesforce Authenticator app. When you’re on your DESKTOP, you’re logged in as Sia in your Trailhead Playground in a web browser.

  1. PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
  2. Tap the app icon to open Salesforce Authenticator.
  3. DESKTOP: If you’re still logged in to your Trailhead Playground as a system administrator, log out.
  4. DESKTOP: Use Sia’s username and password to log in. Salesforce desktop login screen
  5. DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to Sia’s account.
  6. PHONE: Page through the tour to learn how Salesforce Authenticator works.
  7. PHONE: Enter Sia’s (your) mobile number to create a backup of the accounts that are connected to Salesforce Authenticator. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now. (Later on, Sia can create a passcode if she wants to set up a backup to restore her accounts.)
  8. Tap the arrow to add Sia’s account to Salesforce Authenticator. The app displays a two-word phrase. (Hey, did you get an especially poetic or amusing phrase? Let us know! #Trailhead #AwesomePhrase #SalesforceAuthenticator.)
  9. DESKTOP: Enter the phrase in the Two-Word Phrase field. Salesforce Authenticator two-word phrase
  10. DESKTOP: Click Connect.
  11. PHONE: Salesforce Authenticator shows details about Sia’s account: her username and the name of the service provider—in this case, Salesforce.
    Salesforce Authenticator connect account
  12. PHONE: Tap Connect.
  13. DESKTOP: Sia is logged in to her Salesforce account! She can go about her business.

Now, whenever Sia logs in to her Salesforce account, she gets a notification on her phone. She opens Salesforce Authenticator and checks the activity details. If everything looks right, she taps Approve and finishes logging in. 

What if someone else tries to log in with Sia’s username and password? You guessed it—she gets a notification about that too, and can tell Salesforce Authenticator to deny the login request. Phew!

Let's take a closer look at the data Salesforce Authenticator keeps track of.

  1. The service the user is attempting to access. In addition to Salesforce, you can use Salesforce Authenticator with the LastPass password manager and other services that require stronger authentication.
  2. The user who’s trying to log in.
  3. The action that Salesforce Authenticator is verifying. Other actions could show up here if you set up even tighter security. For example, you can require authentication when someone tries to access a record or dashboard. This process is called “step up” authentication.
  4. Information about the browser or app from which the login attempt is taking place, including the device that’s being used.
  5. Where the phone is located.

Salesforce Authenticator datapoints

Automate the Authentication Process

Suppose Sia regularly logs in from the same place, such as the office, her home, or her favorite, dimly lit cantina. Tapping Approve on her phone could get old after a while. If she lets Salesforce Authenticator use her phone’s location services, she can tell the app to verify her activity automatically when it recognizes all the details. In other words, if she logs in from a particular spot using the same device and the same browser or app, she doesn’t even have to pull her phone out of her pocket. Salesforce Authenticator can handle the MFA requirement for her automatically! 

Let’s try it out.

  1. DESKTOP: Log out of Sia’s account and then log in as Sia again.
  2. PHONE: At the prompt, select Trust and automate this request. And then tap Approve.
    Salesforce Authenticator saves those details as a trusted request.
  3. DESKTOP: Log out of Sia’s account and log in again. Voila! You’re not prompted for approval. Salesforce Authenticator recognizes that all the details match the trusted request you saved before. Access granted automatically!

Any time Sia tries to log in with a different browser or device, or from a new location, she can add the new details to the Salesforce Authenticator list of trusted requests. She can save as many trusted requests as she likes, including ones for other accounts and actions. To view the trusted requests for an account, Sia taps the arrow icon, which opens the account details page.

Salesforce Authenticator account information

The account details page lists trusted requests and login activity history. Verified Activities shows how many times Salesforce Authenticator has verified Sia’s login to Salesforce. Automations shows how many times Salesforce Authenticator logged Sia in automatically with a trusted request.

Salesforce Authenticator account details

What if Sia no longer trusts a request? Simple. She swipes left. She can clear all trusted requests at once by selecting Salesforce Authenticator settings icon and then Remove All Trusted Requests.

Sometimes an automated verification may not work, like when the data connection drops off. Not a problem. Sia just types in the TOTP code that Salesforce Authenticator displays.

Want to restrict users’ automated verifications to trusted IP addresses only, such as your corporate network? Or prevent them entirely? You can. When logged in as an admin, go to your org's Identity Verification Settings and change what’s allowed.

Session Settings that control location-based automated verifications

To learn the ins and outs of automation with Salesforce Authenticator, check out Salesforce Help: Automate Multi-Factor Authentication with Salesforce Authenticator and Optimize and Troubleshoot Automation in Salesforce Authenticator

What Happens If Sia Loses Her Mobile Phone?

Good question. As you know, users crash or get marooned on desert planets and lose their phones. Happens all the time. If Sia loses her phone, gets a new one, or accidentally deletes Salesforce Authenticator, she has a few options. Sia can either restore her accounts from the backup she made earlier, or you can disconnect her account from Salesforce Authenticator and then she can re-register the app.

If Sia enabled account backups in her Salesforce Authenticator app, she’s in great shape. All she has to do is reinstall Salesforce Authenticator on her new phone. When she opens the app, she’ll see the option to restore her accounts from her backup. Sia enters the passcode she used when she backed up her accounts, and her accounts reappear on her phone.

What if Sia didn’t back up her accounts? Here’s what you can do to help.

  1. Log in as an administrator.
  2. From Setup, enter Users in the Quick Find box, then select Users.
  3. Click Sia’s name.
  4. On Sia’s user detail page, click Disconnect next to App Registration: Salesforce Authenticator.

The next time Sia logs in, if she doesn’t have another verification method connected, she’s prompted to connect Salesforce Authenticator again.

Note

If you want to uninstall the Salesforce Authenticator app, remove the MFA permission set from Sia's user details first. Otherwise, you can't log in as Sia in future units.

Monitor Who’s Logging In to Your Org

An important part of an admin’s job is to know who’s logging in to your org. That’s what Identity Verification History is for.

  1. Log in as the system administrator of your Trailhead Playground.
  2. From Setup, enter Verification in the Quick Find box, then select Identity Verification History.

Check out the Location column. It defaults to the user’s country, but you can get more detail by creating a custom view.

Identity Verification History screen

Congratulations, administrator! You’ve seen how easy it is to turn on MFA for your users. We encourage you to explore other options for your MFA implementation, such as enabling security keys or built-in authenticators as alternative verification method options. Both of these options are a great choice if users don’t have a mobile device or if cell phones aren’t allowed on the premises. Now let’s learn how to get even more control over your login process in the next unit, “Customizing Your Login Process with My Domain.”

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities