Posted by Gerry Monroe, Senior Consultant
Two-factor authentication is an excellent way to keep your Salesforce account, or any account for that matter, secure. But two-factor authentication has a reputation for being inconvenient because one must carry around a device or token and type in a code in addition to a password. Fortunately, with the Salesforce Authenticator app on your mobile device you can automate two-factor authentication while still keeping log-in procedures convenient.
Additionally, two-factor authentication can be set up for only a subset of your users, or all of your users depending on your business requirements.
This post is going to cover an initial basic set-up of two-factor authentication and how to turn off two-factor authentication for when a user loses or upgrades their mobile device.
A few notes of caution before proceeding
First and foremost, do not create a situation where your entire Salesforce org is dependent on one mobile device. Mobile devices get lost or stolen or may go swimming while fishing; toddlers may use them for floatation tests in the bathroom…and the list goes on. Do not create a single point of failure. Assume that something bad will happen to the mobile device and have a Plan B. If all of your devices used for two-factor authentication will be in the same location, such as at home or flying on a plane, have a backup plan in case all of those devices are lost in the same event. After you have established those plans and start setting up two-factor authentication, don’t activate all of your users for this until you have tested this on a portion of your users. If you put all of your users on this and there’s a problem, then you risk not being able to log back into your Salesforce org. Until you have tested two-factor authentication thoroughly, you should have a set of users and at least one administrator that can log in using established procedures to rollback users out of any two-factor authentication configuration.
Always, always (and always), have an alternate administrator available. If you’re a small company or agency with only one administrator and that administrator uses two-factor authentication and somehow loses their device, getting back into your account may be difficult.
You can only connect one mobile device to a user. If you have more than one user accessing the same account, two-factor authentication may be inconvenient to use.
Here’s a general summary of what you will need to do:
1 – Install the Salesforce Authenticator on your mobile device.
2 – Create or modify a permission set or profile for two-factor authentication.
3 – Add users to the permission set or profile.
4 – Have the user log in and perform the initial set up of their two-factor authentication on their device.
First, install the Salesforce Authenticator on your mobile device.
- For Android devices: https://play.google.com/store/apps/details?id=com.salesforce.authenticator
- For Apple iOS devices: https://itunes.apple.com/us/app/salesforce-authenticator/id782057975?mt=8
To configure two-factor authentication in a Permission Set or a Profile that uses the Enhanced Profile User Interface, click on System Permissions and check the “Two-Factor Authentication for User Interface Logins” checkbox and save the Profile or Permission Set.
If you are using the Original Profile Interface, then scroll down to the “General User Permissions” section and check the “Two-Factor Authentication for User Interface Logins” and save the Profile. Now, let’s log in and see what happens the first time the user logs in.
When logging in for the first time, the user will need to establish the connection between their Salesforce account and their mobile device. When you get to the below screen, go to your mobile device and start the Salesforce Authenticator app.
On your Salesforce Authenticator App, click ‘+ New Account’
This is my Salesforce Authenticator app screen. There is already an account configured on it. The new account created above is not yet visible on this screen. To connect to the new account, click the ‘+ New Account’ button.
The app will display a two-word phrase. In this case, the phrase is “central data.”
Type the two-word phrase, in this case “central data,” into the text box in your browser and click “Connect”
Your Salesforce Authenticator app will now ask you to confirm the connection by clicking “Connect.” After this, your account is set up and you are logged in.
When a user has been properly set up for Two-Factor Authentication, the fields “App: Registration: One-Time Password Generator” and “App Registration” Salesforce Authenticator” will have the “[Disconnect]” option displayed on their User Detail page.
Now, the next time you log in, you will be prompted to approve the login.
If you select the ‘Always verify from here’ option, your login will automatically be approved when your device is at an approved location; for instance, your office or home. There may be a slight delay in logging in but you will not have to access your device. I have found that occasionally, due to issues with my device determining its location, I may have to reapprove my location in the Salesforce Authenticator app.
There will be times when you want to disconnect the Salesforce account from the mobile device. For instance, if the device is lost, stolen, upgraded or malfunctions. To do that, please perform the following:
To disconnect an account from SF Authenticator, go to the User Detail page and click Disconnect for the “App Registration: One-Time Password Generator” and “App Registration: Salesforce Authenticator” fields. Then perform this set-up process again.
A couple of notes here. Although these issues have been resolved by Salesforce, I report them here just to give history and insight into how the Salesforce Authenticator works.
- Previously, when the user traveled to another time zone, the Salesforce Authenticator would stop working because the time based token was an hour or more off depending on the time zone. When this happened, the user would have to uninstall the Salesforce Authenticator and reinstall it and then have their account connection reset.
- If there is a persistent problem with the application, an admin can go into Salesforce and simply remove the user from the two-factor authentication permission set until the problem is resolved.