Posted in Salesforce Security

Say NO to Hacker by Salesforce 2FA

Posted on by Salma_Khathun

What is Authentication ?

  • 10-most-notorious-hackers-of-all-timeAuthentication is how you prove to a system who you are to gain access. That mean, you can get into system, a valid users can get in but not the bad guy.
  • This is made up of something you KNOW. That is something you have to remember.
    Ex: Pin number or Password.
  • Or something you HAVE. That is something unique in your possession.
    Ex: ATM card or Mobile phone.
  • Or something you ARE. That is bio-metrics.
    Ex: Retina scan or Finger print.
    my-phone-is-me-hot-topics-in-authentication-3-638

Risk Based Authentication in Salesforce:

  • If any user tries to login in to the Salesforce org from an ODD device or browser, then verification code is sent via as Email or Mobile message. Salesforce platform always perform what’s known as risk based authentication.
  • When users login, salesforce analyze those logins, looking at their network location and whether or not we have seen their browser before.
  • One time passwords are set via email or text message when salesforce do not recognize the user’s network or browser.
  • We can view or adjust this information by browsing the Setup, Security Controls, Activations.
  • There you can see users activated networks and their activated browsers.
  • You can even delete them or remove them from the system
    No History about login.png
  • Email Activation.pngIn addition, you can provide input into a risk based authentication by setting up Trusted networks via Setup, Security Controls, Network Access or via profile based IP restrictions. Check here if you are new to setting Trusted IP Ranges

 

Two Factor Authentication:identity_2fa_know_and_have

  • Combining any two of the three types of authentication is called Two Factor Authentication.
    Ex: password + phone authenticator app
  • Two factor authentication adds another layer of security by making you type in a second temporary password.
  • Also, it builds on the top of risk based authentication and introduces a few key capabilities
  • The first are applications for mobile devices that are allowed to generate those OTPs (One Time Passwords)
  • No longer there is dependency on email or SMS. You can generate one time password directly from an app on your phone.

 

Setting Up Two-Factor Authentication:

  • As a Admin, you need to make all employees supply more than their username and password every time they try to access the  your Salesforce org.
  • Best practice is to create Permission Sets for those users you want to set up 2FA for every time they login. Check the Permissions Sets if you are very new to this topic.
  • Typically, you create a permission set for a group of users. But for this example, we set up for one user
    • Log in again as the system administrator of your DE org.
    • From Setup, enter Permission in the Quick Find box, then select Permission Sets.
    • Click New.
    • Label the permission “2fa Auth for User Logins”.
    • Click Save.
    • Under System, click System Permissions. Now you’re on the detail page for the 2fa Auth for User Logins permission set.
    • Click Edit.
    • Select Two-Factor Authentication for User Interface Logins.
    • Click Save.

2FA Auth.png

2FA Auth

  • Now, we have to assign the newly created Permission Set to the user we have to set up 2FA. If you’re not on the detail page for your new permission set, navigate back there.
  • On the detail page of the new permission set, click Manage Assignments.
  • Click Add Assignments. On the list of users, select the check box next to user’s account. (If you wanted, you could assign up to 1,000 users at a time.)
  • Click Assign

2fa-auth2

2FA Auth.png

  • Now when the ‘Test User’ login to the Salesforce org, he/she will be prompted with Two Factor Authentication.

 

Connect the Salesforce Authenticator Mobile App to a User Account:

  • Login as ‘Test User’ now by providing basic Single Factor Authentication, that is Username and Password.
  • You will redirect Email/Mobile SMS screen for the Risk Based Authentication (user is logging  to salesforce for first time on that device/browser), if salesforce doesn’t recognize your device.
  • After providing the correct Verification Code, you will be prompted with the below screen for Two Factor Authentication
App.png
Desktop: Connect Salesforce Authenticator
  • As displayed in above screen, we have to first install the ‘Salesforce Authenticator’ app from App Store or Google Play in mobile device
  • Once you have installed successfully the Salesforce Authenticator app in your mobile, you can get the verification code in 2 different methods:
    1. Get a Two-Word Phrase and click on Connect
    2. Get a QR Code or manually entering a key

 

Get a Two-Word Phrase:

  • Alright! We are there now. Open the ‘Salesforce Authenticator’ app in your mobile device.
  • You’ll see a + icon with message as Let’s get started! Connect your personal and work accounts to Authenticator.
  • Tap on the + icon

IMG_0247

  • You’ll now see a Two-Word Phrase as below:
IMG_0248.PNG
Mobile: Two Word Phrase Screen
  • Now enter the two-word phrase “actual chamber” as displayed in the ‘Desktop: Connect Salesforce Authenticator‘ screen above and click on the Connect

 

Get a verification code by scanning QR Code:

  • Salesforce has another alternative method for 2FA by scanning your QR Code displayed on the screen.
  • HOLD ON !!!! If you’re  already logged in as ‘Test User’ successfully in salesforce org.
  • Before going to below process, let’s Logout  as ‘Test User’
  • Again try to login as ‘Test User’ in your desktop. Provide Username & Password and provide verification code if salesforce doesn’t recognize your device or network location (Risk Based Authentication)
  • Whew!! Again you’re there at ‘Desktop: Connect Salesforce Authenticator‘ screen
  • This time click on ‘Choose Another Verification Method’ link
  • You’ll be redirected to the below page. Choose ‘Use Verification codes from an authenticator app‘ and click on Continue.
App.png
Desktop: Choose a Verification Method
  • Now, you will be redirected to the below page for scanning the QR Code from mobile authenticator app
QR Code.png
Desktop: QR Code Page
  • So, open the ‘Salesforce Authenticator’ app in your mobile device.
  • You’ll see a + icon with message as Let’s get started! Connect your personal and work accounts to Authenticator.
  • Do not tap on the + icon
  • This time you observe another option below as Or Scan QR Code‘. See the ‘Mobile: Two Word Phrase Screen‘ page
  • Tap on the ‘Or Scan QR Code’. App ask for the use of camera for scanning the QR Code, click Allow
  • You’ll be seeing the screen as below with red square box as below:
IMG_0249.PNG
Mobile: QR Code Scan Screen
  • That’s it ! Scan the QR code display in desktop with your Authenticator App
  • Salesforce Authenticator app will generate a 6 digit code as below for the ‘Test User’. Now take a zoom at the green circle displays next to code. This code only activates for 30 seconds. For every 30 seconds Salesforce Authenticator app generates a new and unique verification code, isn’t that Cool !

 

Get a verification code by manually entering key:

  • Okay. Sometimes you don’t want allow your camera for scanning the QR code. In that case, again, salesforce has another alternative  🙂
  • This time you can enter a key displayed on the Salesforce Authenticator app
  • If you’re  already logged in as ‘Test User’ successfully in salesforce org.
  • Before going to below process, let’s Logout  as ‘Test User’
  • Again try to login as ‘Test User’ in your desktop. Provide Username & Password and provide verification code if salesforce doesn’t recognize your device or network location (Risk Based Authentication)
  • Whew!! Again you’re there at ‘Desktop: Connect Salesforce Authenticator‘ screen
  • This time click on ‘Choose Another Verification Method’ link
  • Choose ‘Use Verification codes from an authenticator app‘ and click on Continue.
  • Now you will be redirected to the ‘Desktop: QR Code Page‘ page for scanning the QR Code from mobile authenticator app
  • Click on the ‘I can’t scan the QR Code link‘ below. You will be navigated to the below page with the Key.

QR Code

  • So, open the ‘Salesforce Authenticator’ app in your mobile device (Imagine your mobile doesn’t the scanning QR Code process)
  • You’ll see a screen as below. Tap on the ‘Add Your First Key‘ button

QR Code

  • A pop-up will display for selecting process for adding an account as below. Tap on ‘Manually Add Account

QR Code.png

  • Provide the Username and Key displayed in the above screen.

QR Code

  • Tap on the Submit button. Whew!! You got the verification code now

QR Code.png

Set up Authentication Level based on policies:

  • Salesforce identity doesn’t require to enforce Two Factor Authentication only on Login. It can also do this dynamically based on your Session Level.
  • Firstly, navigate to Session Settings. You can see that we have new level called ‘Session Security Levels

QR Code.png

  • There are 2 session levels within Salesforce, one is Standard Assurance and other is High Assurance sessions.
  • Using this session levels we can set fine green policies for accessing Applications or access to Reports and Dashboards.
  • For example, you require a High Assurance session level is used to access Reports
    • To set this navigate to Setup > Customize > Reports & Dashboards > Access Policies
    • Click on ‘High assurance session is required’ and select the ‘Raise the session level to high assurance’
    • Click on Save

QR Code

Access Reports with user having Standard Assurance Level:

  • Login into salesforce org as Admin.
  • Now, remove the ‘Test User’ from the “2fa Auth for User Logins” Permission Sets created above for Two Factor Authentication.
    • To do this, navigate to Setup > Manage Users > Permission Sets
    • Click on the “2fa Auth for User Logins” Permission Sets
    • Click on the ‘Manage Assignments’ button
    • Select the ‘Test User’ and click on ‘Remove Assignment’

QR Code

QR Code

  • At this point of time, ‘Test User’ is having only Standard Assurance Level that is Username and Password.
  • Now login as ‘Test User’ by giving Username and Password.
  • On successful login, ‘Test User’ is redirected to salesforce org.
  • Okay !! It’s time to click on ‘Reports’ tab
  • You have to redirected to High Level Assurance page, woohoo!

QR Code

  • Come On !! Open the Salesforce Authenticator app in your mobile and grab the time based token and paste in the verification code box here
  • Click on Verify button. That’s it! you are able to access the Reports and Dashboards now 🙂

 

References:
1. Securing Your Users’ Identity Trailhead
2. Ensuring Security with Two Factor Authentication Video

 

 

Author:

6 thoughts on “Say NO to Hacker by Salesforce 2FA

  3. Great article! I’d also add that you can also setup your own second factor auth via login flows. Good if you want to use eg a Yubikey or have your own internal auth system.

    Like

    Reply

    2. As far as I know, if an Admin is set 2FA for you, then you have to be Salesforce mobile app for generating verification code. It’s just like your OTP used for online banking. But for testing purpose, you can use Google Mobile Emulator. Best Emulators for PC

      Recently, one of my colleague faced problem this 2FA while logging into DE org. In this case, she is only the admin and she is not able to generate Verification Code. Finally thanks to Salesforce Support for resetting it, you can check here http://sforce.co/1OjZu6N

      Like

      Reply

Leave a comment