As a nonprofit, you regularly collect and store an enormous amount of digital personal information. Without your donors, members, and volunteers -- plus their names, addresses, and other contact information! -- you cannot accomplish your mission. You’re already committed to being a good steward of the money you raise, the land you care for, the people you serve; that must also apply to the data you store. Your data is valuable, and protecting it is vitally important.
If you’re using Salesforce, you’re already off to a great start with the built-in protections of the platform, and now Salesforce is rolling out new password policy requirements to help its users be good stewards.
Every password used in an organization is a security hole. The largest ransomware attacks and corporate data breaches have been caused by compromised passwords for noncritical systems that allowed access to critical systems. (Check out this post from early 2020 for our tip on how to protect your personal accounts from being compromised.) Requiring that you provide both something you know (your password) and something you have (your phone) makes it harder for your passwords to be compromised.
That’s the definition of multi-factor authentication, or “MFA.” MFA describes a security feature that requires a user to present two or more “factors,” or pieces of information, to prove their identity when logging in to the system. For example, this might look like logging in to Salesforce with your regular username and password, and then using an app on your phone to confirm your login attempt.
This video from Salesforce helps to explain these concepts further: https://www.youtube.com/watch?v=SzfsxtMqygI
Starting February 1, 2022, Salesforce will begin requiring customers to activate MFA protections on their accounts. We are encouraging our clients to take action now, and set up the Salesforce Authenticator app to authorize login attempts.
(If access to mobile phones is an unreasonable requirement for your Salesforce users, there are alternatives to using the mobile application; this is the default option we’re recommending for all of our clients, though.)
Here’s how to get started:
1. Download the Salesforce Authenticator App here:
2. Create a permission set called Multi-Factor Authentication and assign the permissions set to yourself, as shown in this quick video:
3. Follow the screen prompts to use the Salesforce Authenticator App to log in.
4. Discuss with your fellow staff members, develop a rollout schedule, and assign users the Permission Set you created based on the schedule.
Salesforce has provided a wealth of other information and documentation about this process -- here’s a collection of links if you want to dig in and learn more.
Journey to MFA: Launch Multi-Factor Authentication (a video walks you through all the steps we’ve described above)
Admin Guide to Multi-Factor Authentication (a slide deck covering the same process, plus some tips about how to ensure success)
Trailhead Module: Secure Your User’s Identity (earn your badge by following this step-by-step guide to setting up MFA)
Salesforce Multi-Factor Authentication FAQ (an epically long help document that covers just about anything else you can imagine on this topic!)