Chris Martin | Solutions Architect
Back in March 2021, Salesforce made an announcement that has profound implications, although initially very few people paid attention to it. Starting from February 1, 2022, Salesforce will require all customers to enable multi-factor authentication (MFA) to access their accounts. The company announcement explains that “all internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login.”
Access security is your responsibility
The decision to make multi-factor authentication a requirement for accessing the Salesforce services follows up the Biden Executive Order to make MFA a mandate for all federal organizations and services. However, this strategic decision goes beyond mere access control. It touches the very heart of the shared responsibility concept of cloud security.
According to the shared responsibility principle, cloud service customers, such as Salesforce users, are responsible for their security in the cloud. They are responsible for encrypting the data stored in the cloud, encrypting this data while in transit and providing appropriate access controls to prevent unauthorized access to it.
Hence, the Salesforce requirement for MFA is reinventing the shared responsibility model of cloud security. In effect, with this MFA mandate, starting February 1, 2022, Salesforce is delegating responsibility for access security to its customers.
This move is a sensible one considering that Thales research suggests that 90% of cyberattacks utilize compromised credentials in some way. Although attacks targeting credentials are increasing in volume and severity and MFA technology has come a long way since its inception, the adoption rate of multifactor authentication is still low. In fact, as the Thales Access Management Index 2021 report indicates, MFA is not used across all users and computing environments.
Which is the preferred MFA option?
The shared responsibility model is also evident when deciding which authentication option to use to comply with the Salesforce MFA requirement. This is a question that relates both to available technology and to the operating environment.
As far as technology is concerned, the Salesforce MFA FAQ is straight forward: SMS texts, phone calls and emails are not a viable option to authenticate users to their platform, nor will VPN access override this requirement. Hence, Salesforce customers are left with two choices – use the native Salesforce MFA or use a third party provider.
This is the beauty of shared responsibility in cloud security – you are free to opt for the best of breed authentication solution and the one that really meets your business and compliance requirements. The options seem countless – use your mobile phone as your authenticator, or use FIDO authentication, either software or hardware. The choice is yours.
However, before selecting an MFA solution you will have to take into consideration how a third party MFA solution could protect additional apps and services – not only Salesforce. Important factors include:
- Flexible authentication options that can meet diverse user needs
- Ability to integrate easily into your environment
- Scalability and flexibility
Thales SafeNet Trusted Access is the perfect solution to meet the Salesforce MFA requirement. With powerful authentication and access policies, you can apply the right level of authentication to the right user wherever they are. SafeNet Trusted Access enables organizations to protect enterprise applications and scale securely in the cloud offering:
- A broad range of authentication capabilities to meet the diverse expectations and access requirements of all users
- Enhanced security with Smart SSO and policy-driven access controls
- A frictionless experience for your security teams
- Detailed audit trail of all access and authentication events
Security of your data is your own responsibility - learn how Thales SafeNet Trusted Access can help you meet the SFDC MFA requirement.