Salesforce MFA requirement (Multi-Factor Authentication), Coming February 1

Salesforce’s requirement that users implement MFA (Multi-Factor Authentication) is going to be upon us very soon. You’re probably getting notifications every time you log in. It’s not difficult to implement, but you’ll want to alert and inform your users, and be ready to provide support to them upon rollout.

I’ve provided some info below, and this four and a half minute video is the clearest, most concise guide I’ve seen. It may be all you need to roll this out.

1. Multi-Factor Authentication will affect how you log in to Salesforce. The basic reasoning behind this is that just asking for a username and password isn’t enough to protect sensitive information. In their words, “As security threats grow more common, it’s increasingly important to implement strong measures to protect your Salesforce data, your business, and ultimately, your customers. Usernames and passwords alone are no longer sufficient for guarding against unauthorized account access.”
2. This will be required starting February 1, 2022, though you can roll it out sooner. You can either put it in place for all users with a certain profile (all Sys Admins at one time, all Staff Users, etc) or on a per-user basis, but it will be forced upon all internal users come February 1.
3. The change affects internal users, but not portal or community users. The change may also affect API data exchanges with your website or other services. For third party services like payment processing, email services and so on, you’ll likely hear from them if there are any steps you need to take. You should test your own integrations ahead of time.
4. You will be using a cell phone app or a security key to verify your Salesforce logins. The simplest solution will be to download a free app from Salesforce to your phone, on which you’ll have to verify your login. Salesforce will no longer be using the “send an email/send a text” method because such messages can be intercepted. The alternative is to use a physical USB key that you’ll insert into your login device to confirm your identity.
5. Users will no longer be able to share a login or at least it will become increasingly difficult.