Starting February 1, 2022, users must employ MFA to use Salesforce products. While the decision isn’t new (Salesforce first announced its plans last March), the deadline is fast approaching to enable MFA. Beyond Identity’s state-of-the-art, passwordless MFA can help organizations meet Salesforce’s new requirement with a solution that users will love. But first let’s go into the specifics of the new mandate.

Organizations can remain compliant by incorporating MFA through two methods:

• Via their SSO platform
• Enabling MFA in Salesforce itself

You can use Salesforce’s MFA Requirement Checker to ensure your implementation satisfies the new policy. If you only use a SSO, enabling MFA there satisfies the requirement. However, if you have a mix of SSO and non-SSO users, you’ll need to use both methods.

While using the requirement checker isn’t required, nor is there any certification necessary, Salesforce recommends using the application to ensure the transition is smooth for your users.

The new Salesforce MFA requirements

There is no particular method you must use, however, Salesforce prohibits specific practices that it sees as insecure. These include:

• One-time passwords sent via email, text, or phone call
• Using security questions
• Trusted devices, trusted networks, or VPN used on their own 

On that last point, Salesforce says that using a trusted device system is prohibited only when that factor is used on its own. However, the help documents state combining trusted device access with certificates in combination with a trusted corporate network is permitted. 

Salesforce’s moves are welcome and guarantee better security for the company’s products, but password-based MFA’s security issues are still present. MFA that relies on a second device adds a significant amount of friction to the authentication process, and, in the end, still uses a password as a factor.

Anything that creates friction will impact user experience, which affects overall adoption. Whether it’s reaching for that second device, remembering a complex password (likely stored in an insecure manner), or a host of other password-based issues, traditional MFA just doesn’t cut it and isn’t completely secure.

There’s a better way to implement MFA

Beyond Identity not only meets Salesforce’s MFA requirement, it also provides a layer of security unmatched by any other MFA solution on the market. Our passwordless MFA eliminates the traditional password with device-bound cryptographic keys and combines it with best-in-class risk-based authentication. Our platform is not only compliant with Salesforce’s new policies but other SaaS services requiring better security practices to access their products.

There’s no need for inconvenient hardware security keys or traditional MFA solutions that use passwords and other insecure factors. Our risk-based authentication platform uses more than two dozen signals to keep your organization’s (and Salesforce’s) data safe from attacks.

Beyond Identity’s authenticator runs on the device the user is logging in from (no second device needed) and uses only strong factors, like asymmetric cryptography and biometrics, which can’t be phished. Passwords are eliminated and replaced with secure credentials that cannot leave the device and cannot be accessed by anybody else. You can learn more about how Beyond Identity works and how it offers the strongest, most user-friendly passwordless MFA  for employees.

If you’re racing to meet the upcoming deadline or plan to deploy Salesforce in your organization after February 1, we’d love to show you how Beyond Identity can not only keep you compliant with the new mandate, but implement MFA in a way that delights your end users. Ask for a demo today, or check out the links below for more information on why organizations are passing on legacy, password-based MFA solutions for our modern state-of-the art platform.