Building a more secure future might seem risky: will customers easily adapt to stricter guardrails? Let’s think about multi-factor authentication. More and more, it’s plain to see that MFA presents an excellent balance between security and convenience when it comes to protecting our data.

Pain points remain, though. Leadership might believe that asking people to think beyond the password is a bridge too far. But about two-thirds of people who are aware of MFA use it regularly, according to our 2023 Oh Behave report. And 94% of people who’ve enabled it continue to use it. Our data does not support the view that MFA is too much to ask of people. Done right, it’s quick and convenient.

As adoption of multi-factor authentication (MFA) increases, Salesforce is a great recent case study about how to implement MFA across a vast customer base that spans many industries. 

On February 1, 2022, Salesforce began requiring all customers to use MFA when accessing its products, which include popular B2B platforms like Sales Cloud, Service Cloud, and Einstein. 

We asked Salesforce why they decided to require MFA adoption for all their products, what the challenges with this initiative were, and how the requirement is working two years after it was first implemented.  

MFA: Increasing security for all

The MFA requirement initially came from a need for security beyond a password. As a technology, passwords date back to the 1960s, and they’re no longer an effective means of securing accounts. A password is a single-factor system for authenticating, while multi-factor authentication (as the name implies) requires multiple forms of identifying information. Usually, this includes a password and another factor, which might be a fingerprint, signing into a stand-alone authentication app, or a new passkey system. 

"Trust is our number one value, and there’s nothing more important than the trust and success of our customers. We believe protecting customer data is a shared responsibility for Salesforce and our customers," explained Lynn Simons, senior director of security engagement at Salesforce. "As cyberattacks grow more common, passwords no longer provide sufficient safeguards against unauthorized account access." 

MFA provides an extra layer of protection against common security threats, like phishing, credential stuffing, and account takeovers. Implementing MFA increases security for both the customer and Salesforce.

The strategy

Requiring MFA across all its products not only demanded technical know-how, but also meant that Salesforce had to convince stakeholders it was the right thing to do. Luckily, the evidence of MFA's benefits is overwhelming – the United States Cybersecurity & Infrastructure Security Agency (CISA) says using MFA on account reduces the chance of a hack by 99%!

"Salesforce believes MFA is a critical component to securing account access," Lynn continued.

Although there is a potential risk of password compromise, it’s highly unlikely that a bad actor will also be able to guess or hack a code from the user’s authentication app.

Since February 1, 2022, Salesforce customers are required to use MFA to access Salesforce products. This means that all internal users who log in to Salesforce products, including partner solutions, through the user interface must use MFA for every login.

Importantly, Salesforce products include MFA functionality at no extra cost.

Using the most secure factors

While we believe any form of MFA is better than no MFA at all, the truth is that some factors are more secure than others. Your fingerprint is harder to compromise than an easy four-character password, for example. With their MFA initiative, Salesforce opted to support the most secure methods. 

"Salesforce offers MFA solutions that strike the balance between strong security and user convenience," Lynn said. 

Verification methods supported by Salesforce include:

• Salesforce Authenticator App: This proprietary mobile app option was created as a fast and frictionless solution of simple push notifications that integrate into the Salesforce login process.

• Third-Party Authenticator Apps: You can also fulfill the MFA requirement by using other standalone mobile apps, specifically apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm.

• Security Keys: These are physical devices that use public-key cryptography – today's most popular smartphones have these keys built in. 

• Built-In Authenticators: A desktop or mobile device’s built-in authenticator service, such as Windows Hello, Face ID or Touch ID. This option often involves biometrics, hard-to-fake identifiers that are unique to you, like your fingerprint or face.

Some second factors aren't as strong and are inherently more vulnerable to interception, spoofing, and other attacks. Because of this, Salesforce decided against the use of these as MFA options:

• Security questions: These might be guessed by publicly available information about the user. 

• One-time codes sent via email, text message, or phone call: If one of these accounts is compromised, then their MFA usefulness is pointless. Additionally, these methods are more easily compromised by MFA fatigue attacks. 

If you require MFA, we agree that you might as well use the strongest options available right now.

Results

As of 2024, Salesforce has a 100% enrollment rate among its employees, Lynn confirmed. All of Salesforce's software products, called clouds, offer MFA, and nearly all have helped customers secure their data by enforcing or auto-enabling MFA for their users.

"Thanks to the partnership of our customers and their commitment to safeguarding user account access, the program to automatically enable MFA has been extremely successful," Lynn noted.

Conclusion: Security is a team sport

For the past two decades, the NCA has been on a mission to empower everyone online to increase digital safety. We all have a role– companies, governments, websites, and individuals. Salesforce’s successful MFA requirement shows how one positive change can have ripple effects throughout the world – an estimated 150,000 companies use Salesforce throughout the globe, and now all of their employees and customers use MFA. 

"Security is a team sport – and is only as effective when everyone is on the same page," Lynn suggested. 

Best practices

Lynn recommended a few best practices for companies attempting to roll out an MFA strategy for the long term.

• Understand your workforce: For IT leaders, the first step includes understanding the company workforce, their interactions with essential technology, and where there are potential vulnerabilities in the system.

• Offer options that fit into existing workflows: Rather than implement a single piece of technology for all teams, enhancing existing solutions and offering solutions that suit a variety of workflows will make it more likely that MFA will work for everyone. An example of this would be Salesforce releasing its own authentication app that integrates with its products. 

• Make it easy for admins: Invest in developing the right learning materials and enablement support to make those managing MFA to navigate the transition seamlessly. 

For more information, Lynn recommends this module on Trailhead, Salesforce’s free online learning platform. The NCA also has many resources on MFA.