Cybersecurity for Business
Feb 28, 2024
Making online platforms, services, and devices more secure by default is a good idea. But is it easy? Is it popular?
Building a more secure future might seem risky: will customers easily adapt to stricter guardrails?
Let’s think about multi-factor authentication. More and more, it’s plain to see that MFA presents an excellent balance between security and convenience when it comes to protecting our data.
Pain points remain, though. Leadership might believe that asking people to think beyond the password is a bridge too far. But about two-thirds of people who are aware of MFA use it regularly, according to our 2023 Oh Behave report. And 94% of people who’ve enabled it continue to use it. Our data does not support the view that MFA is too much to ask of people. Done right, it’s quick and convenient.
As adoption of multi-factor authentication (MFA) increases, Salesforce is a great recent case study about how to implement MFA across a vast customer base that spans many industries.
On February 1, 2022, Salesforce began requiring all customers to use MFA when accessing its products, which include popular B2B platforms like Sales Cloud, Service Cloud, and Einstein.
We asked Salesforce why they decided to require MFA adoption for all their products, what the challenges with this initiative were, and how the requirement is working two years after it was first implemented.
MFA: Increasing security for all
The MFA requirement initially came from a need for security beyond a password. As a technology, passwords date back to the 1960s, and they’re no longer an effective means of securing accounts. A password is a single-factor system for authenticating, while multi-factor authentication (as the name implies) requires multiple forms of identifying information. Usually, this includes a password and another factor, which might be a fingerprint, signing into a stand-alone authentication app, or a new passkey system.
"Trust is our number one value, and there’s nothing more important than the trust and success of our customers.
We believe protecting customer data is a shared responsibility for Salesforce and our customers," explained Lynn Simons, senior director of security engagement at Salesforce. "As cyberattacks grow more common, passwords no longer provide sufficient safeguards against unauthorized account access."
MFA provides an extra layer of protection against common security threats, like phishing, credential stuffing, and account takeovers. Implementing MFA increases security for both the customer and Salesforce.
The strategy
Requiring MFA across all its products not only demanded technical know-how, but also meant that Salesforce had to convince stakeholders it was the right thing to do. Luckily, the evidence of MFA's benefits is overwhelming – the United States Cybersecurity & Infrastructure Security Agency (CISA) says using MFA on account reduces the chance of a hack by 99%!
"Salesforce believes MFA is a critical component to securing account access," Lynn continued.
Although there is a potential risk of password compromise, it’s highly unlikely that a bad actor will also be able to guess or hack a code from the user’s authentication app.
Since February 1, 2022, Salesforce customers are required to use MFA to access Salesforce products. This means that all internal users who log in to Salesforce products, including partner solutions, through the user interface must use MFA for every login.
Importantly, Salesforce products include MFA functionality at no extra cost.
Using the most secure factors
While we believe any form of MFA is better than no MFA at all, the truth is that some factors are more secure than others. Your fingerprint is harder to compromise than an easy four-character password, for example. With their MFA initiative, Salesforce opted to support the most secure methods.
"Salesforce offers MFA solutions that strike the balance between strong security and user convenience," Lynn said.
Verification methods supported by Salesforce include:
Salesforce Authenticator App: This proprietary mobile app option was created as a fast and frictionless solution of simple push notifications that integrate into the Salesforce login process.
Third-Party Authenticator Apps: You can also fulfill the MFA requirement by using other standalone mobile apps, specifically apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm.
Security Keys: These are physical devices that use public-key cryptography – today's most popular smartphones have these keys built in.
Built-In Authenticators: A desktop or mobile device’s built-in authenticator service, such as Windows Hello, Face ID or Touch ID. This option often involves biometrics, hard-to-fake identifiers that are unique to you, like your fingerprint or face.
Some second factors aren't as strong and are inherently more vulnerable to interception, spoofing, and other attacks. Because of this, Salesforce decided against the use of these as MFA options:
Security questions: These might be guessed by publicly available information about the user.
One-time codes sent via email, text message, or phone call: If one of these accounts is compromised, then their MFA usefulness is pointless. Additionally, these methods are more easily compromised by MFA fatigue attacks.
If you require MFA, we agree that you might as well use the strongest options available right now.