May The Salesforce Be With You

Data Security breaches are flooding the news and the costs of these incidents worldwide are running in the trillions of dollars. The reputation of companies was severely damaged overnight by breaking their customers, business partners and employees trust in case of an incident. Most importantly, the personal suffering that arises from being the victim of cybercrime can have a huge negative impact on our lives.

One of the main reasons for the enormous increase in data security breaches is the domination of cloud based platforms in the enterprise software market. We cannot hold these cloud suppliers accountable for all that goes wrong though: security is a shared responsibility. When a software company stores your password securely somewhere on their servers, it is also your responsibility to make sure this password cannot be retrieved (… from that post-it on your monitor …).

Salesforce announced that, as of February 1, 2022, they will begin requiring customers to enable multi-factor authentication in order to access Salesforce products. Multi-factor authentication is one of the measures that can be taken to protect the data in your company.

Salesforce appeals to your shared responsibility: the functionality of their multi-factor authentication is solid, available at no extra cost and is easily configured, but it is the task of your company to decide on the use of authenticator apps, bring your own device policies, hardware keys and possibly (re)configure single sign-on. 2022 might look like a distant future, but discussions around security should not be postponed and be brought to managers attention as soon as possible.. Acting now will help save a lot of headache next February.

To have a smooth and constructive talk about multi-factor authentication with your team or your Salesforce implementation partner, it is a good idea to fully understand the definition of some high level terms concerning access control. Terms like identification, authentication and authorization are often used as if they are interchangeable, but these terms do have their own definitions. Let us take a couple of minutes to scratch the surface and get acquainted with access control…

Access Control

General access control in computer security consists of three main topics: authentication, authorization, and audit.

Authentication is the act of proving an assertion, such as the identity of a user. Identification is the act of indicating a person's identity, and authentication is the process of verifying that identity.
Authorization is the definition of an access policy. It defines which permissions the user gets in relation to the resources.
Auditing is the process of tracking and reviewing events, errors, access, and authentication attempts on the system.

We can map these terms to your experience in Salesforce:

When you login to Salesforce you identify yourself with your username and youauthenticate yourself with your password. The system will verify your identity with the password stored in the system when you registered.
Upon successfull verification, you areauthorized to access certain parts of the data and functionality in the Salesforce environment.
Salesforce keeps track of login activity and events such as data export and set up changes, so a supervisor can intervene when detecting anomalies in user behavior. This is the auditing part of acces control.

Authentication

There are generally four ways to authenticate yourself. They are based onknowledge (something you know, such as a password or PIN),possession (something you have, such as a smartcard or a phone),inherence (something you are, biometrically. Think of fingerprint scan or facial recognition) andlocation (where you are, such as geo location or IP address).

As the name implies multi-factor authentication requires users to prove their identity with more than one verification method. These methods should ideally not be of the same type.

The extra factor in the authentication process when logging in to Salesforce is based on possession. This means that, as early as next year you will log in with your password, but you will also have to provide a one-time password from an authenticator app on your phone or from a hardware key you plug into your computer. This strong verification method Salesforce requires is based on the idea that although it is possible that your password gets comprised and that your device gets stolen, in practice it is very unlikely people with bad intentions can get their hands on both of them.

Basically there are two options to consider when implementing multi-factor authentication in Salesforce:

Authenticator app

The first option is to roll out the usage of an authenticator app. An authenticator app will generate a one-time password you need to provide to Salesforce after you authenticated with your password. An authenticator app is free to download and users can manage setting up the extra authentication themselves easily. Salesforce has its own dedicated authenticator app which has the benefit of creating push messages, but you are also free to use the time-based one-time passwords from a third party authenticator app (such as Google or Microsoft) if it is already installed or is preferred in another way.
This option may not be the best for everyone though. There might be a policy in your company that prohibits employees from having their mobile phone at their desk, or maybe there is a policy against using own devices in general. You also cannot force users to download the software on their own devices; there might be users that do not want to use their own devices for business purposes.

Hardware Keys

The other option is to provide hardware keys for your users. Hardware keys are the most secure authentication option today because with current technology they are impossible to copy or emulate, intercepting their dataflow is virtually impossible. Hardware keys are more user friendly because there is no hassle with using an app on your phone every time you need to log in. The setup of the key in Salesforce is easy and can be done by the end users themselves.
A hardware key does have a price tag: it costs between 20 and 70 euros, depending on the protocols it supports, compatible ports and the overall quality of the key. You will have to inventorize and possibly define a company policy on hardware and browser preferences because of compatibility. You might also need to come up with a policy regarding the loss or distruction of the keys.

The subject of authentication seems quite straightforward at first but when researching, a lot of questions might pop up: 'What if I lose my key or forget my phone?', 'Can we not just use the email or SMS verification Salesforce sometimes sends?', 'How does this impact shared accounts?'. There are sensible answers to all these viable questions and we will gladly clarify them to you. But know that in the end you will have to decide if you will start using authenticator apps or hardware keys, there are no workarounds. Both options have their pros and cons and it is up to you to decide what best suits your company.

One might want to consider delegated authorization in parallel with the implementation of multi-factor authentication. When Salesforce authorization is delegated to a single sign-on provider where authentication is already setup with multi-factor authentication you do not have to add extra authentication in Salesforce. When there is already a wish for implementing single sign-on in your organization you now have a reason to prioritize it.

Salesforce has documented multi-factor authentication thoroughly and really takes you by the hand in a step by step setup process. So the setup itself is not the challenge we have. The challenge comes with choosing the right tools and models that fit your company specific policies and preferences.

Although setting up multi-factored authentication is not that complicated, there are a lot of things you need to take into consideration. A partner can help you choose the right tools and help you with the setup. Brightfox consultants are fully qualified to assist you with your multi-factor authentication project. You can contact us through our website (www.brightfox.eu) or via email (info@brightfox.eu).

We'd be pleased to answer your questions on the subject and help you decide which option suits best for your organization. Contact us at any time.