Salesforce to require MFA for all users starting next month
Image: Salesforce, CHUTTERSNAP
Catalin Cimpanu January 7, 2022

Salesforce to require MFA for all users starting next month

Salesforce to require MFA for all users starting next month

Salesforce, the world’s largest customer relationship management (CRM) platform, said that customers must have a form of multi-factor authentication (MFA) turned on starting next month, or they won’t be able to access their accounts.

“Beginning February 1, 2022, Salesforce will require customers to use MFA in order to access Salesforce products,” the company said in a support document published last month.

Companies that use Salesforce as a CRM will have to enable a form of MFA for their accounts or see employees cut off from accessing their sales platforms.

Salesforce said that only certain types of MFA methods would be supported, including:

  • Salesforce Authenticator mobile app (available on the Apple App Store or Google Play Store)
  • Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator, Microsoft Authenticator, or Authy.
  • Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey or Google’s Titan.
  • Built-in authenticators, such as Apple’s Touch ID and Face ID, or Windows Hello.
Salesforce-Authenticator
Image: Salesforce Authenticator app

MFA solutions that rely on sending one-time passcodes via email, phone, or SMS messages won’t be allowed “because these methods are inherently vulnerable to interception, spoofing, and other attacks,” Salesforce explained.

“We encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method,” the company also added.

The mandatory MFA enforcement will apply to all of Salesforce’s primary cloud products, such as:

  • Products built on the Salesforce Platform, including: Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud, Experience Cloud, Industries products (Consumer Goods Cloud, Education Cloud, Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Nonprofit Cloud, Philanthropy Cloud), Marketing Cloud–Audience Studio, Marketing Cloud–Pardot, Platform, Salesforce Essentials, Salesforce Field Service, and partner solutions
  • B2C Commerce Cloud
  • Marketing Cloud–Datorama
  • Marketing Cloud–Email Studio, Mobile Studio, and Journey Builder
  • MuleSoft Anypoint Platform
  • Quip

Salesforce said MFA support would be available at no cost for its users and that it’s taking this step solely to improve security and to protect customer accounts.

The company’s decision was initially announced last March, and most customers had been notified about the new requirement since at least February 2021, a year ahead of the enforcement, so they’d have time to prepare.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.