For some organization, two factors authentication is required. But, can we have 2FA when login to Salesforce.com? To build two factors authentication as implemented by banks will need a huge cost and a lot of time, but to implement this on Salesforce.com is free of charge. Salesforce has this feature out of the box for all editions. If you are one of the awesome admin, you can configure this for less than an hour (not include training or communication with your users), and you do not need a developer to write any code.
Create a Permission Set or enable Profile with Two-Factor Authentication for User Interface Logins permission. Users assigned with this profile or added with this permission set will required to enter time-based password.
How user will receive this one-time password? Instead of SMS, user need to install Salesforce Authenticator app in their smart phone as trusted device linked to your Salesforce account, for now only iOS and Android phone.
Install Salesforce Authenticator app
Search for Salesforce Authenticator in App Store for iOS device or in Google Play for Android device.
First Login after Setup
When user login to Salesforce.com for the first time, after permission granted, user need to enter two-word phrase.
Open the Authenticator app in your smart phone, then tap + New Account, enter the phrase shown in the app to Salesforce connect page, then click Connect button. Then you also tap Connect button in the app. Salesforce will email you that new verification method was added to your account.
Once verified, admin or user can check in the user detail page, link next to App Registration: Salesforce Authenticator has changed from Connect to Disconnect.
If you have access to multiple login, the mobile app can handle multiple login with the same device, you can swipe the account to left to delete it.
After successful enter username and password, user will be present with a screen that tell user need to use Authenticator app from user phone to approve login to Salesforce.
Tap Approve button in phone app to continue, once approved this will auto let you login to Salesforce.com
1. Open Salesforce.com from login.salesforce.com (or your custom my domain)
2. Enter username and password, then Log In
3. Approve from your device with Authenticator app
- after enter username and password successfully, Salesforce will challenge for approval from device, in the login history this step will show with "two-factor required".
- after approve from device, login history will show "Success".
- Salesforce will wait for 90 seconds, otherwise it will tell you "We canceled your request because we didn't receive your approval within 90 seconds".
- For some reason if you can't approve from the device, you can change the verification method by using code from Authenticator app.
Let's say user delete the Authenticator app incidentally, or have issue with the mobile phone, or lost his mobile phone.
Only user with Manage User permission, go to user detail and look for App Registration: One-Time Password Generator, then click Disconnect link, this will delete Disconnect link. User need to re-register from Authenticator app when login to Salesforce.com
In mobile phone
Re-install the Authenticator app, and re-do registration process again as above. As admin, you will notice the Disconnect link re-appear again in user detail, after user successfully re-register his device.
Last update: 28 Feb 2017 with Spring '17 release and using Salesforce Authenticator app version 2.8.0 on iOS.