SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Salesforce now requiring all users to implement MFA
Wed, 2nd Feb 2022
FYI, this story is more than a year old

Customer cloud service company Salesforce has taken significant steps to bolster its security protocols by requiring all users to implement multi-factor authentication (MFA) to access its products, solutions, and platforms.

The move comes as sophisticated cyber attacks continue to cause widespread problems for SMBs and enterprises, and current username and password systems are not providing adequate security.

Common threats like phishing and credential stuffing are the most prominent; therefore users and companies need new technology to enhance their security. MFA such as physical security keys are now being utilised to ensure correct identification and verification, requiring a physical touch after plugging in or tapping on a device to log on to accounts.

One company that utilises key technology in this form is Yubico, with their YubiKey MFA platform. Launched in 2007, Yubico technology is widely seen as the gold-standard when it comes to preventing account takeovers and data breaches. The company believes this new type of MFA is the future of data security, particularly with the rise in hybrid work situations and subsequent breach opportunities.

Methods such as SMS, one-time passcodes, and mobile authenticator apps are also crucial MFA tools that can be used to prevent cyber attacks and add an extra layer of protection.

This move by Salesforce is the latest in a trend of companies prioritising improvements to their cybersecurity infrastructure with MFA to better secure their customers, employees, and partners.

Google recently initiated auto-enrolling for 150 million Google users in two-step verification and required 2 million YouTube creators to turn on the service.

In a possible sign of things to come on a global scale, the US Government has also put a policy in place to enforce strong MFA. Executive Order 14028 states that by 2024, SMS tokens and push notification authentication apps utilising one-time passcodes will no longer comply with US government requirements.

Salesforce senior vice president of identity product management Ian Glazer says customer security is a top priority, and having the right MFA tools is paramount to ensuring this is bought through all aspects of a business.

“At Salesforce, trust is our number one value, and protecting customer data is paramount,” he says.

“Driving adoption of strong MFA, the single best thing people and organizations can do to protect their user accounts and data, requires a range of MFA options, such as hardware keys. Through partnership with our customers to spread the use of MFA, we can make it much harder for common threats like phishing and credential stuffing to succeed.

Salesforce has stated that they will avoid weak and outdated MFA and focus on intensive, modern and effective solutions. They support phishing-resistant, FIDO-based security key authentication and with their leadership, there is hope that there will be a significant acceleration of the adoption of modern and robust hardware authentication across the globe.