Salesforce MFA

The Salesforce ecosystem is worried at the idea that MFA will be enforced on all orgs, on Tuesday, February the 1st 2022. "How to prepare all the users for this change", "What if the users aren't ready", "Is there a risk to block prod"? The tension is intense for those aware, those who don't know this is happening are still sleeping as usual. How to manage the change? This is the question this post is going to try and answer.

MFA vs. TLS 1.1

It looks to me that Salesforce learnt its lesson with the move to TLS 1.1. The move to MFA is not a turn-off/turn-on story anymore. It's more gradual, it's more of a legal commitment to your favourite vendor (Salesforce). So, as a result, there is more flexibility on the date choice, your environment specificities are taken into consideration and, in the end, you can speak and negotiate with your Salesforce AE! I would personally recommend all Salesforce customers to start the conversation ASAP with Salesforce and start planning if not already done. January is going to go very fast in this respect!

The Approach

So, whereas I was planning to give technical clues in this article and suggestions about the best ways to move to MFA I will stop there: engage with Salesforce and agree on a timeline and action plan to move to MFA.

At a high level you want to consider the users' populations you are dealing with:

1. All non-SSO internal users: Setup MFA from the Salesforce setup pages.
2. All SSO-internal users: Setup MFA from your SSO Identity Provider.
3. All external users: Experience Cloud No need to enforce MFA at this time (Is MFA required for customer and partner Experience Cloud sites?).

Only platform based Clouds are working with the date of Tuesday, February the 1st 2022. Other Clouds (Marketing, FSL, etc...) follow the same principle but with a different calendar.

The Action Plan

A few words about these suggestions from Salesforce:

1. Take this change seriously and put as many resources as can (Learn). Then tick the (security) box for a while and return to BAU.

I suggest focusing on Salesforce resources (hostname = *.salesforce.com)

1. In "Evaluate" read "Test"! Don't expect a good outcome if you shoot beside the actual target. You do need to validate you understand 100% the upcoming change. Get on a sandbox ASAP...
2. To "Prepare Users" you want to communicate with all of them. Don't underestimate this point. Users can be blocked just because they didn't understand and that would result in part of your CRM investment being thrown out!
3. In "Implement" don't forget your own support team. The helpdesk must be fully aware of what's going on, be prepared for a surge of calls and know what to do.
4. I would suggest "Launch" before the actual date suggested by either Salesforce or your AE. This way, you can do a roll-back if it comes down to it.

Useful Resources

If there is something to accept is that, albeit this MFA story is meant to be a big change, Salesforce is providing quite a few documentation about what going to happen. I suggest you (1) master the documentation first then (2) jump on a phone call with your AE and (3) express your feelings, concerns or otherwise.

The Salesforce AEs will be capable to help you out while staying compliant with your legal obligations...

Key Resources

• Salesforce MFA introduction video
• Salesforce MFA eBook 1
• Salesforce MFA eBook 2
• Salesforce MFA KB Article
• Salesforce MFA FAQ (the Bible)
• Salesforce Security Micro-Site On MFA
• Salesforce Security MicroSite On SSO and MFA

Secondary Resources

• Salesforce Trailhead
• Salesforce MFA calendar per Cloud
• Salesforce MFA Rollout Pack

Summary

MFA is a very important change that Salesforce is going to force on us. This technological change is meant to increase the level of protection of our orgs. So, as such, it's a good thing!

Having said that you need to come prepared and avoid any downside. Because of the legal implications, I would suggest you get in contact with your Salesforce AE and agree on the action plan (in writing). Read any content you may find on the web but favour Salesforce resources as there is a notion of commitment you will need to rely on.