HELLO Salesforce Thinkers, In our previous blog we learned about Salesforce Data Security and Access – Part 1 (Introduction and Password Policies). In this blog we are going to learn about “Two-Factor Authentication“. We will continue our learning journey by a series of blogs to go deeper and understand the Salesforce Data Security Model, Visibility and Access.

Let’s get started,

Authentication means preventing unauthorized access to our organization or its data by making sure each logged in user is who they say they are.

Salesforce provides several methods to authenticate users. Some methods are automatically enabled, and some require that we enable and configure them.

Using this user authentication spectrum, we can build authentication to fit our org’s needs and our users’ use patterns.

There are several methods for user authentication, These methods include two-factor authentication, single sign-on, My Domain, network-based security, session security, custom login flows, connected apps, and desktop client access.

In this blog we will go through Two-Factor Authentication.

Two-Factor Authentication:-

The most effective way to protect our org and its data is to require that users provide more than just their username and password. Which is called as Two-Factor Authentication or 2FA.

Second factor of authentication provides an extra layer of security for our org. An admin can require it every time a users log in or can require it only in some circumstances, such as when users log in from an unrecognized device or a user meets certain criteria or try to access a high-risk application such as attempting to view reports or access a connected app.

After users successfully verify their identity with both authentication factors, they can access Salesforce and start working.

The two factors?

• We can protect our account with something we know like password.
• Something We have, such as a mobile device with an authenticator app installed.

When a Users can be prompted for two-factor authentication?

• Every time they log in to Salesforce, including API logins.
• When they access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
• During a custom login flow or within a custom app, for example, before reading a license agreement.

Set Up Two-Factor Authentication for Every Login

We can set up two-factor authentication (2FA) either through user Profile or through Permission Sets.

Login as an admin and navigate to Setup

Enter Permission in the quick find box and select permission sets >> New

Label the permission “Two-Factor Authentication User Login” and Click Save.

Type Two- Factor in the find settings search box and click “Two-Factor Authentication for User Interface Logins“.

Click Edit and select the checkbox in front of ” Two-Factor Authentication for User Interface Logins” and click Save.

Now we will assign the permission set to a user.

Click on ” Manage Assignments” and then Add Assignments. On the list of users, select the checkbox next to a user account for whom you want to enable 2FA.

Click Assign and Done.

yes! In this case we’ve set up two-factor authentication for our user Jay. When Jay logs in, he’s prompted to provide a second factor of authentication in addition to his username and password.

For checking it , from another browser navigate to Salesforce URL and enter Jay’s Username and Password to login.

When logging on the first time after the 2FA is enabled, user will see a prompt to connect Salesforce Authenticator app to their account.

But how Jay use as the second factor?

For this Jay needs to get an app and connect it to His Salesforce user account before he can log in.

Connect the Salesforce Authenticator Mobile App to a User Account:

On our Smart phone, we need to download and install the “Salesforce Authenticator” mobile app. Tab Open.

Tab “Allow” to receive notification.

The Page through the tour to learn how Salesforce Authenticator works.

Enter Jay’s mobile number to create a backup of his accounts. Then tap the notification when prompted to complete the verification. We can skip creating a passcode for now.

Later on, Jay can create a passcode if he wants to set up a backup to restore his accounts.

Tab “Add Account“.

Note the phrase displayed on the Phone.

Back to the browser and Enter the phrase displayed in the phone and click “Connect“.

After this we will prompt to check our mobile device to connect the Salesforce Authenticator app to Salesforce login.

Tab Connect.

And now see Jay is logged on to Salesforce.

Let’s Test It Again:

Desktop : From the browser Enter The Username and Password and Click login.

Mobile device : We’ll be prompt to approve the login request In the authenticator app.

Now, whenever the user (2FA enabled) logs in to the account, gets a notification on mobile device.

User can Approve login directly from The notification or just open the authenticator app to Approve login to Salesforce.

User opens the app and checks the activity details. If everything looks right, user just taps Approve on the phone.

If doesn’t recognize the activity, User can taps Deny to block it.

Mobile Device : tab “Approve” to login to Salesforce.

See the Desktop we are logged in to Salesforce.

As we have seen Two-Factor Authentication in action, Now even if someone gets hold of your username and password, they won’t be able to login to Salesforce as it will require them to “Approve” the login in Salseforce Authenticator App installed on your mobile device.

What If the user Lost the Mobile Phone?

If User enabled account backups in Salesforce Authenticator app, then All the user need to do is reinstall Salesforce Authenticator on his new phone.

When the User opens the app, he’ll see the option to restore his accounts from his backup.

User need to enters the passcode that was used when user backed up his accounts, and The accounts reappear on the phone.

What if the User didn’t back up the accounts? Here’s what you can do to help.

1. Log in as an administrator.
2. From Setup, enter Users in the Quick Find box, then select Users.
3. Click On the User name.
4. On user detail page, click Disconnect next to App Registration: Salesforce Authenticator.

The next time the User logs in, if he doesn’t have another verification method connected, he prompted to connect Salesforce Authenticator again.

Thank you for reading , Hope the blog is helpful.