Salesforce MFA and What You need to Know as an Agency
If you haven’t been paying attention to the buzz of 2022, Salesforce moved towards mandatory multi-factor authentication on February 1st. If you’re not familiar with multi-factor authentication, it means you need to prove who you are multiple times when logging in, instead of just using your username and password. Even if the terms are new, you have most likely experienced this with codes sent to our phone while logging into an online service.
With the current digital landscape and security concerns, it makes sense that a company like Salesforce wants to protect its clients by making multi-factor authentication the default. While this is best practice and a good idea for companies, it causes concerns with agencies or other entities that have specific use cases for sharing a login across multiple people. What if Person B at your company needs to log into an account, but the text code is sent to Person A who is unreachable. This can cause major issues with workflows and deadlines if someone is out of the office.
Don’t worry, we have good news! There is a way for agencies and multi-login users to function with Salesforce MFA. As Pardot & Salesforce consultants, we will share in this article how it all works with LastPass Teams, but this can also work with other password security platforms that offer similar utilities.
Some key points this article will cover are:
- Requirements with LastPass
- Working in tandem with Salesforce Authentication App
- Maintaining security with sharing within the agency
- How to set up Salesforce MFA with LastPass Teams
- How to log in with both options running
Requirements with LastPass
I wanted to touch on this right out of the gate. The free version of LastPass won’t work for this solution.
This may not be an issue for agencies who are already paying for the teams or business version of LastPass, but consultants or small shops using the free version may need to look at upgrading or a similar service with the available options (There is a slight workaround discussed later).
The key feature needed for all of this to work is the ‘One-time passcode:’ field on your saved LastPass passwords. We will be leveraging this field for our generated codes that users can use for Salesforce multi-factor authentication.
Working in tandem with Salesforce Authentication App
One of the major benefits is that you can have both the Salesforce authentication app and the one-time password for LastPass connected at the same time for a Salesforce user, allowing you to choose which option you want to log in with.
This is a great solution if you are using an existing person’s login or if there is someone outside of your LastPass org. They can follow the standard Salesforce MFA prompts and connect with the Salesforce Authentication App and have access. If someone has already connected the Salesforce app, you may need them to approve your first log-in or you can walk through the LastPass set up with them.
This is the slight workaround mentioned earlier. With the Salesforce authentication App on the external user’s phone, and the LastPass one-time code add to your teams account, They can still log in as needed and you are able to securely share the password and multi-factor authentication code within your agency.
Maintaining the LastPass security within the agency
One of the benefits of using the LastPass one-time code with Salesforce MFA is that you can still maintain security protocols while sharing this login with the rest of the agency. While it does require users to be able to click on the password-revealing eye to see the code, the one-time code itself stays with the password in its shared folder.
This means you can share an authentication method that works with Salesforce MFA with an entire team and If someone leaves the team you can remove their access to that folder and the authentication method. With just a few clicks you can increase or decrease access to a single login that functions with Salesforce MFA, ensuring your agency’s workflow isn’t disrupted by sick days or vacations.
How to set up Salesforce MFA with LastPass
Let’s get to the good stuff.
We will assume that a user was already prompted to set up the Salesforce authentication app when multi-factor authentication was turned on in Salesforce, since this is the default for organizations that enabled multi-factor authentication by the Feb 1st deadline.
- Log into the Salesforce account that you have access to
- If a user already has the Salesforce Authentication app connected. They may need to approve your log-in this first time.
- In the top right, click on your avatar and go to ‘settings’
- Once on the settings page, look for ‘Advanced User Details’ in the left-hand column. Look for the ‘App Registration: One-Time Password Authenticator’ and click ‘connect’.
- When you click Connect a QR code pops up. Ignore this and look for a link at the bottom that states ‘I Can’t Scan the QR Code’.
5. Once the next screen appears copy the text string that appears and open up your LastPass vault in a new tab (DON’T CLOSE THE CURRENT TAB AS YOU NEED THE STRING).
- In LastPass, edit the username and password that you use for logging in. Click on the words ‘Enter your secret key’.
- A lot of people try to click into the one-time passcode field here and get an error message. You need to click on the text ‘enter your secret key’
- Paste in the string of text from your Salesforce window and click Activate.
- Now, by clicking the eye to the far right, you can see a one-time generated code to use when asked for the code. This code will automatically update.
- You may need to allow a user to view password if the eye is not revealing the code for them.
- Copy this generated number code and go back to your Salesforce tab. Paste it in the ‘Verification Code’ field and click ‘connect’
You now successfully have two authentication methods for logging into Salesforce with multi-factor authentication enabled.
The original user can still authenticate with the Salesforce app on their phone and you, as well as anyone you shared this password or folder with, can use the one-time code attached the to LastPass password.
Logging Into Accounts
While not a complicated process, switching between the method you want to use when login into Salesforce MFA may not be completely obvious at first. Here are the steps to bypass the Salesforce app screen and log in with your LastPass generated code.
- Launch your LastPass password that has the one-time code attached to it and start the log in process.
2. When the Salesforce App Authentication screen pops up, select ‘Having Trouble’, at the bottom.
3. When the window expands, select ‘Use a Different Verification Method’, once again at the bottom
4. Select ‘Use a code from an authenticator app and click continue
5. Open Up your LastPass password, click the eye icon to see the code.
6. Copy the number code that is generated
7. Paste it into your login window to verify your identity and click ‘verify’
You have successfully logged in!