Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Salesforce To Require MFA For All Users Starting Next Month (therecord.media) 56

An anonymous reader writes: Salesforce, the world's largest customer relationship management platform, said that customers must have a form of multi-factor authentication (MFA) turned on starting next month, or they won't be able to access their accounts. "Beginning February 1, 2022, Salesforce will require customers to use MFA in order to access Salesforce products," the company said last month.

Salesforce said that users will be able to choose from using security keys, an authenticator app, or an OS biometrics systems to secure accounts. MFA solutions that rely on sending one-time passcodes via email, phone, or SMS messages won't be allowed "because these methods are inherently vulnerable to interception, spoofing, and other attacks," Salesforce explained.

"We encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method," the company added.
This discussion has been archived. No new comments can be posted.

Salesforce To Require MFA For All Users Starting Next Month

Comments Filter:
  • by CaptainLugnuts ( 2594663 ) on Saturday January 08, 2022 @05:43PM (#62156017)
    How badly can they fuck it up?
  • Admit it, we've lost
    • Sharing deterrence (Score:4, Informative)

      by spinitch ( 1033676 ) on Saturday January 08, 2022 @08:08PM (#62156283)
      MFA helps reduce unauthorized access including sharing of accounts. Easy to share a password but not so easy for a pin response. Sales people do not like spending time on data maintenance, they offload this work to sales admins , common clerical approach in various functions. SF is not inexpensive ubiquitous like email office apps. Though a few extra licenses is not going to make or break most businesses. The bad PR and potential liability from breaches though are costly. Having MFA shows modest effort to deter. More work for IT admins on MFA xfer but compared to the clusterFk of integrating SF with ERPs , CPMs minor.
      • Passwords have been a flawed authentication mechanism since its inception. Even back in the days of dial-up modems, places either did two tier passwords, dial-back (where the company's modem would dial your number after you logged in and hung up.) During the 80s and early 90s, one time passwords with S/KEY were used so at the minimum, a sniffed telnet connection wouldn't glean a password, while everything else was fair game.

        We have been lucky so far... but the gravy train of just using a password has ende

  • by stevegee58 ( 1179505 ) on Saturday January 08, 2022 @05:48PM (#62156029) Journal
    Oh. Never mind.
  • by nicolaiplum ( 169077 ) on Saturday January 08, 2022 @05:57PM (#62156037)

    Their claim in their announcement:

    "We encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method," the company added.

    Their actual documentation ( https://help.salesforce.com/s/... [salesforce.com] ):

    You can register all supported verification methods and use them to log in to Marketing Cloud. However, you can register only one method per verification method type at a time. For example, you could register a single authenticator app and a single security key.

    So you can't have the authenticator app on your phone and on your tablet, say, as a backup for when your phone dies or is stolen. That is not very useful, and it is a very common problem with MFA systems (Okta, for example, has the same limitation). They just don't understand that your backup may be a different instance of the same method.

    You can, of course, hack it by saving the authenticator app seed and using it to initialise several authenticator instances, but that is neither easy for the average user nor best practice because if someone can steal that seed from where you saved it then you're 0wned.

    • Comment removed based on user account deletion
      • Google Authenticator can generate a QR code that another instance of it can use to generate the same codes. I just used that feature to move my authenticators to a new phone -- they continue to work from the old phone as well.

        (After I did this, the app shows have a very prominent banner that codes were recently exported, protecting against someone trying to sneak them off. I'm not sure how long that will stay.)

    • They offer TOTP as one of the options. That can be registered easily with multiple devices, and the content can be backed up.

      Personally, I use Aegis, because it supported export/import before Google did.

    • At least they have two methods that are known and good... the standard TOTP authenticator app, and a FIDO key.

      I like "packing my own parachute" when it comes to an authenticator app, and using one that doesn't just sync among devices, but can back itself up, as well as export the FIDO shared secrets in plaintext, should I want to use a new app. A Yubikey or similar is also nice, just because you can configure the device to prompt for a PIN before giving access, thus creating CAC/PIV tier security.

      At least,

    • This is one reason why I tell people to not use Authy, Google Authenticator, or other 2FA managers where backing up and syncing isn't possible. In fact, I had a closed sync manager actually corrupt all my MFA seeds. An offline device in airplane mode saved me, and I was able to redo all my 2FA seeds.

      There are good 2FA managers which allow for syncing, backups, exports (so you can copy the seeds to other applications.) A few I've used: BitWarden, 1Password, Codebook, enPass, SafeInCloud, and for local st

  • by Anonymous Coward

    Interesting what types of MFA they are not allowing [salesforce.com]:

    Which verification methods satisfy the MFA requirement?

    Let’s start with verification methods that don’t satisfy the requirement, whether you’re using your SSO identity provider’s MFA services or Salesforce’s MFA for direct logins.

    o Delivering one-time passcodes via the following options isn’t allowed because these methods are inherently vulnerable to interception, spoofing, and other attacks.
    - Email messages
    - Text messages
    - Phone calls

    o Security questions

    o Used on their own, trusted devices, trusted networks, or VPN aren't adequate verification methods for the MFA requirement. (But when trusted devices and trusted networks are used in combination, you can achieve MFA and satisfy the requirement.)

  • scammers and spammers are a large portion of their "customers".

  • "We encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method," the company added

    If you, as a company, forget or lose your verification information, you have bigger problems. There should never be a time a company doesn't have its login information for any service. It should be stored in multiple locations with access by multiple people so it's available at all times.

    it's plain incompetency if this simple act isn't done.

    • Isn't that what an enterprise PAM is for? For example, if a company has a generic "admin" account used for services, for example, the MFA root user, having the user's password and 2FA seeds in something Devolutions Vault can be set to grant permissions to those who need it. For a small company, this could be as simple as 1Password, BitWarden, or LastPass.

    • I've wondered about some standard for recovering lost account info. It definitely wouldn't be one mechanism, but consist of a number of different ways with different weights. For example, one "absolute" way would be to send a registered mail with an auth code in it. Since receiving it requires not just picking it up, a physical ID, and a signature, it is as secure as one can get for a method. Or multiple ways, be it signing a random message with your GPG key and pasting it, a recovery code from a list,

      • I used to work for a big Swiss bank, and we used the registered mail technique for distribution of MFA tokens (well, activation keys printed on paper; same same, but diff).

        Now I work for a big but not as big Nordic bank, and up here we leverage the government ID system - which is administered by the banks. Same deal though - we require physical presence with ID in a branch or a letter sent to your address (though, off the top of my head, I donâ(TM)t know if we send it registered - I should check).

  • by fahrbot-bot ( 874524 ) on Saturday January 08, 2022 @06:26PM (#62156105)

    A Masters of Fine Arts? Seems like a weird requirement for their users. :-)

    • That's pretty good, but of course we all know this stands for Multi Failure Authentication. It's designed to maximize users contacting their supervisor or your IT team with constant problems logging in.
      • by kmoser ( 1469707 )
        Sounds like they should rename it MPA, for the Multiple Phishing Attempts that will be made against the IT team.
  • What ever happened to calling it 2fa?

    • What ever happened to calling it 2fa?

      Not Web3 enough.

    • It wasn't confusing enough. And before anybody defends that stupidity by saying "MFA can be more than 2FA", the phrase "requires 2FA" implies a minimum and that two or more factors would work. If they're requiring more than two, they could say NFA. until they reached the appropriate threshold of N but no(lots of Os)o. Let's overload a commonly used term so we can write headlines that look crazy.

      Oh, for the love of $diety, Slashdot. How does my post look like ASCII art? You've got actual nazi trolls tha

  • I guess I'm "old fashioned"? But my experience with 2FA/MFA is that it's just a huge headache for I.T. staff to support for the average users, and it gets hacked occasionally anyway. One of the big problems is, many users opt for SMS text PIN codes to be sent to their phone. It's the most obvious way to receive the code, since almost everyone knows how to get a text these days. But there are all sorts of ways to compromise that, up to and including tricking the phone carrier into porting your number over t

    • The point about shared accounts is actually a design feature of MFA, not a flaw. And the first point about improper implementations is⦠just that. Poorly implemented MFA.

  • It is about preventing people from sharing an account. Probably hit a growth ceiling and they are desperate to get more revenue.
  • The world is better off if fewer people can login and use Saleswhores.

  • MFA is the final nail in the coffin of online access to banks for me. It is FAR FAR faster and more convenient to get paper statements and scan and OCR them than it is to deal with banks' ridiculous TFA systems that invariably force you to end up calling customer service in India, wait on hold for 20 minutes, and then the moron at the other end can't figure out what's wrong anyway.

    • It is FAR FAR faster and more convenient to get paper statements and scan and OCR them than it is to deal with banks' ridiculous TFA systems that invariably force you to end up calling customer service in India, wait on hold for 20 minutes

      WTF is wrong with you. My own mother has no problems using MFA to login to online banking and this is a woman who one day asked me for help because the screen "wasn't working" on a computer she hadn't actually turned on.

      Most normal people can't even walk to the scanner in the time it takes to login via MFA.

  • As far as I understand, MFA is a trademark of Cisco. They have somehow implement the worst two factor authentication I have the displeasure of using. Microsoft and Google are positive user-friendly by comparison.

  • So let add 3 insecure MFA options. Hardware do to price, auth app do to OS and it being a phone app which are design for user tracking, or biometric which cant be change.
    I thought that MFA is suppose to make you more secure. Adding these make it seem less so
  • The Feb 1 2022 date is when SFDC requires MFA in their contracts/licenses with their customers; actual, physical enforcement in the customer environments actually starts much later. Companies that use some form of 'Single Sign On' in their corporate environment, and their SSO itself implements a flavor of MFA, can meet the requirement by extending SSO to their SFDC production orgs if they haven't done so already. It looks like one of the limitations of the SFDC setup, however, is that you can't prevent some

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...