Last week I presented together with a colleague at Salesforce World Tour in Oslo, Norway, on Salesforce security and among other things we covered the upcoming changes to the MFA (multi factor authentication) requirements for internal user logins to Salesforce Sales and Service Cloud. This sparked a lot of discussion after the session so it seems more focus on this is needed. There are a number of things you should make a note of and act on if you’re a Salesforce administrator:
- This applies both to production environments (orgs) as well as sandbox environments
- The employed MFA must be strong i.e. email and SMS is not enough
- Even if MFA is performed at an identity provider it will only be recognized by Salesforce if signaled using the industry standard amr / acr claims
- There are even stronger MFA requirements for admins / privileged users i.e. users with Modify All Data, View All Data, Author Apex or Customize Application permissions
- This applies only to logins through the user interface i.e. OAuth flows without any user interface component is not affected (i.e. client_credentials flow)
- Ensure your contact details are up to date with Salesforce and you monitor and act on communication from Salesforce
I’ve created a script to help you find the privileged users as the permission may be assigned using profile, permission sets or permission set groups. The script is in my salesforce-mfa-requirement Github repo.
The simple and easy solution for enterprise customers is to ensure the IdP sends the required claims to Salesforce and use passkeys for sandbox login.