You may have seen the announcement we recently made that beginning on February 1, 2022, Salesforce will start requiring all customers to implement multi-factor authentication (MFA). If so, you already know that MFA is one of the easiest, most effective ways to help prevent unauthorized account access and safeguard your Salesforce data. And in case you’re wondering, MFA is available at no extra cost for all Salesforce products.
Now that you’re caught up on the requirement, let’s talk about what that means for you as an admin — and your users. Driving user adoption for MFA may have its own set of challenges for admins with multiple Salesforce products. Since we know that a large portion of Salesforce customers have more than one product, we wanted to offer some suggestions of how to accomplish this exercise in change management. In this post, we’ll focus on the different ways to drive user adoption in a multi-cloud environment.
To enable MFA for direct logins or SSO — that is the question.
Before we dive into user adoption tactics, let’s do a quick overview of your options.
Option 1: Admins can enable MFA within each of their Salesforce products. Doing so will prompt your users to satisfy the MFA challenge each time they log in to one of your products.
Option 2: Many customers may find it easier to connect all of their Salesforce products to single-sign on (SSO), which would allow your users to log in one time, using the SSO interface. Just remember that if you choose to go the SSO route, Salesforce requires customers to also implement MFA for their identity provider.
For complete information about the requirement, visit the Salesforce Multi-Factor Authentication FAQ.
How can admins drive MFA adoption across different Salesforce products?
This may seem obvious, but arguably the most important early decision an admin can make in this process is to choose a verification method that works across all of your products. Verification methods that satisfy the MFA requirement include the Salesforce Authenticator app, standards-based TOTP apps, and security keys (see a more detailed explanation of what those are in our MFA Quick Guide). Once your users are set up with a verification method that works for any Salesforce product (not to mention other platforms you might be using), you remove any potential roadblocks associated with the user login experience.
It’s also important to think about the user experience if you enable MFA for multiple products. By creating a master rollout plan and timeline that combines all of your products, rather than rolling out each one individually, it reduces confusion for users. It’s always best to just dive in rather than postpone portions of the rollout.
Once you’ve selected your verification method(s) and your rollout plan is ready, a great way to drive MFA adoption is to run employee awareness campaigns. These campaigns should clearly communicate the timeline and include all of the change management information your users will need for all impacted products. You can even get creative and host competitions for users to see who can be among the first to use MFA!
Is it important to track user adoption?
Maximizing your visibility with robust reporting can be one of the best tools for driving user adoption. How are you supposed to know if you’re hitting adoption benchmarks if you don’t have accurate reporting?
Luckily, Salesforce offers a variety of ways to track MFA adoption in some of our products. This handy metrics blog post goes into detail about metrics for Salesforce Lightning products, and you can also reference the list below which includes options for tracking adoption in Salesforce Lightning products and Marketing Cloud.
- Lightning Usage App: Use the Login Metrics tab in the Lightning Usage App to monitor logins in your org. See how many users are logging in with your org’s various identity services, including MFA and SSO.
- Salesforce Optimizer: In Salesforce Optimizer, you can identify any users who are logging in without MFA, and then take actions to enable MFA for all users.
- Identity Verification History report: Use Identity Verification History to monitor and audit up to 20,000 records of your org users’ identity verification attempts from the past 6 months.
- MFA Dashboard (via the AppExchange): A comprehensive dashboard for monitoring, auditing, and reporting on MFA adoption and usage in your Salesforce org.
- View MFA events in Marketing Cloud: After you enable MFA for your Marketing Cloud tenant, you can review a log of all registration and verification attempts. This log includes enablement and revocation actions and authentication attempts. You can view all events in a tenant.
We’ve given you some good ideas about how to drive MFA adoption for your multi-cloud environment. If you’re still looking for more, check out the Salesforce Admins Podcast with Mat Hamlin about MFA and SSO the next time you’re out for a stroll.
Looking for more content and resources on security? Check out our Security for Admins page to dive in.