MFA the Salesforce Way: How Salesforce Rolled Out Multi-Factor Authentication Requirements

The digital economy works from anywhere, running on the backbone of trillions of connected devices on public and private networks. But as the need for remote work has grown, so too has the threat landscape. And where businesses are leaving gaps, cybercriminals are happy to exploit them. 

We believe protecting customer data is a shared responsibility between Salesforce and our customers. And because enabling multi-factor authentication (MFA) is one of the easiest, most effective actions businesses can take to help secure their data against the majority of common cyberattacks, Salesforce is now requiring all of its customers to use MFA to access Salesforce products. 

What is the Salesforce MFA requirement?

MFA is a secure authentication method that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in—something they know, such as their username and password, and something in their possession, such as an authenticator app or security key. 

MFA leads to long-term ROI

Whether a company uses the second factor or single sign-on (SSO) for MFA, there may be an initial upfront purchase with a vendor and an ongoing annual cost. But it’s not a sunk cost—adopting MFA can provide serious ROI. A recent Forrester Consulting study found that businesses could achieve up to 164% return on their MFA investment over three years with a payback in less than six months.

Salesforce rolls out MFA across products, services

In February 2021, Salesforce alerted customers that it would begin requiring them to enable MFA by February 2022 in order to log into Salesforce products. 

Of course, we wouldn’t ask our customers to do something that we wouldn’t do ourselves. Here’s how we brought MFA to thousands of employees across the globe:

MFA adoption requires planning, transparency, and communication

Adopting MFA at scale doesn’t happen overnight. It took time to educate employees and work out procedural kinks. For instance, our IT department had to come up with a process for quickly helping employees who broke or misplaced their security key or phone with the authenticator app. 

Based on what we learned from our internal MFA rollout, we notified customers a year in advance that the February 1, 2022 requirement was coming. We also created and shared a robust change management process to further enable our customers to be successful in their transitions to MFA. 

Incorporating the human element in a technology rollout

MFA is about protecting sensitive data, and it was important to reflect that in our communications and rollout — to make sure employees understood the change, and that they knew this would not be a major interruption to their day job. 

We onboard new employees and continually remind existing employees of the importance of MFA by integrating education about this topic into Salesforce’s Annual Security Training. Similarly, we developed a Trailhead module for our customers to help them better understand how and why MFA works. 

During our pre-pandemic rollout, we even planned a fun event to get employees engaged in the MFA transition. Those who downloaded the authenticator app to their phone were invited to our office cafes for free snacks, t-shirts, and coffee mugs. It was such a hit, we had lines out the door!

Enabling teams and managers to provide individual support for MFA adoption

Salesforce treats security as a team sport—it’s only effective if everyone is on the same page. No matter how diligent the communication process, there will always be stragglers. 

To help close this gap during our MFA rollout, we enlisted people managers to encourage their direct reports to sign up. We also provided avenues for employees to ask IT questions and help troubleshoot personally. We found that taking the assignment from mass communication to 1:1 discussions and support was very impactful. 

Though Salesforce today has a 100% MFA enrollment rate among its employees, it doesn’t stop there. Our team is now identifying new ways to evolve MFA, such as more streamlined processes and new verification methods. As we evolve in our use of MFA, so too will our understanding, and we will continue to share these advancements and learnings with our customers. 

For more information on the MFA requirement, please visit our FAQ.