Why does salesforce require mfa for all month?

370    Asked by EllaClarkson in Salesforce , Asked on May 8, 2023

I enabled MFA in my organisation, my users are using Microsoft Authenticator app. My users ' concern now is that they are required to enter the code ( one-time passwords) every time they login in. Is there any setting to prevent this behaviour on every login using the same location , computer , and the same browser ? Salesforce in the documentation said the following : "All internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login".

Does that mean the code is required every time ? I used the Salesforce Authenticator and there is an option in the app to trust the user location , but with a third-party authenticator , there is no this option, also the "Don't Ask Again" is not present in the below verification screen. Please advise.

Answered by Dipika Agarwal

Salesforce requires mfa for all month because - Multi-Factor Authentication (MFA) adds another layer of security to your login process by requiring users to enter two or more pieces of evidence (or factors) to prove they're who they say they are. In this example the factors are:

Username and password

authenticator app

Your question is asking why the code is required in every login and the answer is because that is what MFA is. Without it, you don't actually have MFA (just username and password).

There is no "Don't ask again" prompt. You might have gotten used to seeing that prompt for the Device Activation/Identity Verification feature Salesforce provides. It was a prompt that would appear if the user logged in from an unrecognised device (or user's IP is outside the trusted IP range). However, it's explicitly mentioned in the Salesforce Multi-Factor Authentication FAQ.

Some Salesforce products include a feature called Device Activation, or Identity Verification. This functionality is sometimes confused with MFA.

Device Activation requires users to provide an additional authentication factor if they log in from an unrecognised browser or device, or if the user's IP address is outside a trusted IP range. Supported verification methods for this feature include email and SMS text messages, as well as strong methods like Salesforce Authenticator, third-party TOTP authenticator apps, and security keys.

MFA, on the other hand, requires users to supply a strong verification method every time they log in. Email and SMS text messages aren't allowed for MFA logins because of their inherent susceptibility to attack by bad actors, so these options aren't allowed for MFA logins.

And your direct question is also within that same FAQ

How frequently must users provide a verification method when logging in directly to Salesforce products?

If you’re using Salesforce's MFA functionality, users must respond to an MFA challenge each time they log in to a Salesforce product. This applies to all logins, including those due to inactivity and expired sessions. The frequency of MFA challenges can’t be modified.

Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users? To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product. To reduce friction for users, we recommend using Salesforce Authenticator. The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations.

As noted in that last quote/answer, the Salesforce Authenticator mobile app (and only this app) is recommended as it can reduce this friction with its ability to "auto" verify for you based on location, device, and IP. It requires you to turn on a couple settings:

  Within Setup --> Session Settings, check the Let Salesforce Authenticator automatically verify identities using geolocation and, if you have trusted IP ranges, you can also check the Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only

Within the Salesforce Authenticator app - Settings --> Automation Settings turn on Einstein Automation

Once those are on, the functionality is noted to work as following from that doc:

In the app, when you select Always verify from here, the next time you log in from the same computer (browser) and the phone is in the same location, your phone will respond automatically for you when all are the same in a repeated pattern of 3 or more times.

Note: If there are any differences, dynamic IPs , location, browser or device changes the user will be prompted for push notification again.

If you use a different authenticator app, you will need to put the code every time as the above won't apply or isn't supported currently.

Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com