Salesforce Says, "Yes," To MFA
"You know how we tell the good guys from the bad guys? The bad guys shoot at us." Rick Yancey learned this from his father, a concept that can be applied to the cyber world. The "bad guys" are finding increasingly creative ways of compromising the security of the world's data containers. Salesforce is a major player in the CRM world these days, where each Salesforce organization is a data container. Major players become primary targets, so let's look at some things Salesforce is doing to help protect user and company data from the "bad guys" while still enabling access to the "good guys."
"Your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin." Sound familiar? Password length and complexity requirements can frustrate users but are a great place to start when securing a system. Add an expiration date on the password, max number of failed attempts, and possibly even a limited set of IP addresses that can log in, and you have done a lot to ensure the security of your system. Somehow, all of this has proved insufficient. Multi-factor authentication (MFA) is the solution for that. MFA is a combination of two or more of the following: 1) what you know (like a password), 2) what you have (like a mobile device), and 3) what you are (like a fingerprint). By a recent estimation, the Salesforce platform has around 411 instances, which equates to around 4.11M organizations (including sandboxes) at 10k/instance. With so many organizations, it's no surprise Salesforce is so interested in improving security. However, additional security measures can come at a cost to usability and can sometimes keep out the "good guys" or waste so much time in fighting the security policies, productivity declines.
MFA is a big deal
Users must be able to access systems in a way that is not too detrimental, but system security is a big deal. I haven't found any examples of large-scale Salesforce data loss due to compromised passwords, but there are plenty of other examples of compromised systems out there. Data is copied, sold, locked, and held for ransom or exploited in some other way. MFA is the current acronym used by Salesforce and Microsoft, but many will be familiar with 2FA (two-factor authentication), a term that was used earlier by Salesforce and is still used by Apple. Google uses the term 2SV (two-step verification). In any case, we are talking about the same concept. Combining those security "factors" to increase security on a system. Apple started forcing 2FA on or before Dec 2020. Google started requiring 2SV in Dec 2021. Salesforce will require MFA beginning Feb 1, 2022. Microsoft is pushing MFA on every front but hasn't enforced it yet. What does this mean for users? MFA is here, and it isn't going away anytime soon. The primary purpose of MFA isn't to track your location or increase the "relevance" of advertisements. It's here to protect the data we work with every day.
So, what about the corporate guys with many users accessing a plethora of systems on a weekly basis? I mean, how many passwords and authentication apps can one person use without becoming dazed and confused? Salesforce, like many others, has a well-implemented Single Sign-on (SSO) utility to help alleviate some of that pain. In SSO, the two sides of the coin are Identity Provider (IdP) and Service Provider (SP). The IdP is the system that confirms the identity of the user trying to log in, acting as a type of referral for the SP. Instead of using its own authentication to protect logins, the SP takes the referral from the IdP to authenticate the user. Salesforce can operate on both sides of that coin. Let's take a look at an example:
Jim owns a house, Eric owns a trusted local company called Eric’s Reliable Repair or Recovery Services, and Mike is the HVAC repairman who works for that company. Jim’s heat stops working at his house, so he calls Eric to send out an HVAC repairman. Jim doesn’t know Mike, so when Mike knocks on Jim’s door, Jim calls Eric to verify Mike really is the HVAC repairman. That’s how it works with SSO. A user can get access to an SP like Salesforce, even if Salesforce doesn’t know that user, because Salesforce trusts Google (or some other IdP) to act as the referral.
As mentioned, Salesforce can act as either the IdP OR the SP. As the IdP, Salesforce could be your common login for multiple apps (Salesforce, SAP, Microsoft, Google, etc.), thus requiring one username/password combo and MFA app across the various configured user systems. Like the SP, Salesforce can be accessed by providing credentials for another system, allowing a company to adopt Salesforce without requiring an additional username/password or MFA app. Users are frequently referred to as the "weak link" in the security of an information system. By using SSO, a company drastically reduces users' management of their own security, thus reducing risk. Fewer passwords and fewer apps should mean fewer "weak link" opportunities in the security chain.
What did the hacker's out-of-office message say? "Gone phishin'!" Phishing attempts are a daily occurrence for many employees. The bad guys are motivated to exploit our data, but we can be ready for them. With strong passwords, some basic system security measures, MFA, and SSO, we can ensure the "bad guys" stay out while providing easy access to the "good guys."
About the author
Senior Salesforce Developer