Saturday, November 21, 2015

Salesforce: Two Factors Authentication - 2FA

For Singapore residence, login to internet banking from Singapore banks, after enter username and password successfully, system will request user to enter security token, it can be generated using a device or delivered by SMS, usually it would be 6 or 8 digits. This is one of usage of two factors authentication (2FA), which is aka OTP (One Time Password), to enhance security when username and password only is not secure enough.

For some organization, two factors authentication is required. But, can we do the same when login to To build two factors authentication as implemented by banks will need a huge cost, but to implement this on is free or charge, Salesforce has this feature out of the box for all editions. If you are one of the awesome admin, you can configure this for less than an hour (not include training or communication with your users), and you do not need a developer to write any code.

1. Setup
Enable Permission
Create Permission Set or enable Profile for Two-Factor Authentication for User Interface Logins permission. Users assigned with this profile or added to the permission set will require to enter time-based one-time password.

How user will receive this one-time password? User need to install Authenticator app in their smart phone, for now only iOS and Android phone.

Install Authenticator app
Search for Salesforce Authenticator in App Store for iOS device or in Google Play for Android device. This app is enabled with QR Code reader for you to scan QR Code for the first time to register to Salesforce access.

2. Usage
First time Login with Authenticator
When this feature activated, after successfully enter username and password, use Salesforce Authenticator app installed to scan the QR Code. If for some reason you cannot scan the QR Code, click I Can't Scan the QR Code to enter the code manually.

For Authenticator app, tap Add Your First Key, it will open QR code reader, scan the QR Code from website, the app will produce a verification code and register your Salesforce account to the app. Enter the verification code produce from app and click Connect button. You has been login to successfully.

Summary of action done on this step:
  • Mobile app: register Salesforce account to user mobile Authenticator app
  • Salesforce: if you are admin or user with Manage User permission, go to the user detail and notice for App Registration: One-Time Password Generator, there is a Disconnect link.

** note: when username and password enter successfully at this stage, Salesforce will add login history as successful login even before enter the verification code.

Next Login
After successful enter username and password, user will be present to enter verification code, but no need to scan QR Code again, because app in your phone has been linked to your Salesforce account. Open the app, and it will show you the verification code with 6 digits.

** note: at this stage, when username and password enter successfully, and when user enter the verification code, there will be 2 information in the user login history.

3. Recovery
Let's say user delete the Authenticator app incidentally, or have issue with the mobile phone, or lost his mobile phone.

In Salesforce
Only user with Manage User permission, go to user detail and look for App Registration: One-Time Password Generator, then click Disconnect link, this will delete Disconnect link. User need to re-register from Authenticator app when login to

In mobile phone
Re-install the Authenticator app, and re-do registration process by tap Add Your First Key as above. As admin, you will notice the Disconnect link re-appear again in user detail.

** if the app have been add to other Salesforce account, you can swipe the account to left to delete it. Swipe to right will copy the code to phone memory, you can paste the code when need to login to Salesforce from mobile, including from Salesforce1 mobile app.