Two-Factor Authentication: Easy Setup, Major Impact by Marco Erzingher
1. Two-Factor Authentication:
Easy Setup, Major Impact
Marco Erzingher
Salesforce Consultant & Field Service Practice Manager
Westbrook
marco.erzingher@westbrook.co.uk
@MErzingher
2. Salesforce Consultant & Field Service
Practice Manager at Westbrook
BA Politics (University of Sheffield)
4 years’ implementation experience
Certs: ADM201, Sales Cloud, Service Cloud,
Developer & App Builder
Find me on:
Twitter: @MErzingher
LinkedIn: in/marcoerzingher
www.westbrook.co.uk/blogs
About Me
4. Forward-Looking Statements
Statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any
of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking
statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or
service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for
future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts
or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,
interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible
mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our
employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com
products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of
salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most
recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information
section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not
be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
5. Overview
What is Two-Factor Authentication?
2FA in Salesforce – A Brief History
How-To Demo
Roll-out Strategy
Additional Resources
Questions
6. You will:
Be able to explain why you should be implementing a two-factor
authentication solution
Be able to setup the Salesforce Authenticator Mobile App
Be able to develop and execute an effective roll-out strategy
Key Takeaways
7. What is 2FA?
An additional dynamic layer of security
“Is that you?”
Much more secure than ‘not so secret’ questions
Prevent those dreaded shared logins
9. “Won’t it ruin our User Experience?”
“It will be too complex and too time consuming”
“It’s not a priority for this years budget”
“We just don’t need it”
Two-Factor Fear Factor
Common arguments against 2FA
2FA
10. 2FA in Salesforce – Before
How a solution used to look
Record Create
Create Record
Record Lookup
Logged in User
Email Address
Record Lookup
Get Security
Token
Send Email
Email Security
Token
Screen
Enter Security
Token
Decision
Verify
Security Code
Screen
No
Record Delete
Record Delete
12. Turn your device into a two-factor authentication tool
Salesforce Authenticator v2.0
One Tap Approval Trusted Location Detection
13. How-To
User
- Register the Salesforce Authenticator Mobile App
Permission Set
- Enable Two-Factor Authentication for User Interface Logins System Permission
14. Step 1
App Setup
Navigate to the User record
App Registration: Salesforce
Authenticator > Connect
Download and open the
Salesforce Authenticator App
using your mobile device and
select ‘Add Account’
Enter the generated phrase into
connection page
16. Roll-out Strategy
Learn > Launch > Iterate
Learn:
Do I know all I need to?
How do I make people aware?
Launch:
Who to target first?
Iterate:
How are people finding it?
Welcome everyone and thanks for choosing to attend this session
Degree obviously extremely useful day to day in salesforce consultancy
5x certified
Credit team at Westbrook for opportunity to be here speaking
Key Takeaway:We are a publicly traded company. Please make your buying decisions only on the products commercially available from Salesforce.
Talk Track:
Before I begin, just a quick note that when considering future developments, whether by us or with any other solution provider, you should always base your purchasing decisions on what is currently available.
What I am going to cover is the kind of solution every admin loves as it ticks all the boxes – it’s simple, extremely effective, it’s out of the box config, and it’s scaleable
Key content of this session will be a demo of how to set up two-factor authentication in Salesforce but we will also look at…
What actually is two-factor authentication - or 2FA - and why should you be thinking about it
How has the offering in salesforce changed in recent years
And importantly - what strategy should I use to roll-out a 2FA solution across my company
As an admin you will be able to return to your companies and…..
2FA is essentially a way to make your system ask ‘is that really you?’ every time you enter your username and password
The response to this question should be something unique that only you are in possession of
Should not be something static – i.e something someone else can learn or access
Means someone having your username and password is no longer enough to access your data
Classic 2FA would be the example you see on the screen
Your password is the first factor
Verification code is the second
A good example is online banking….password and code generated by card reader
“Who here currently has an active 2FA solution on their system?”
We will come back to the first 3 but I just want to touch on that last one right now, the idea that “We don’t need it” – scenario: a salesperson leaves for another company so you deactivate their user and think ok that’s that, but what if they know a colleagues password? They can get in and see leads and contact data etc….with 2FA that would not be possible and would identify when such an action was attempted
To a certain extent the fears around user experience and complexity were valid….
An out of the box solution used to involve:a custom object to house 2FA pin recordssome formulas to create unique pin valuesan 8 step process flow to send and verify the pin upon user logina login flow to tie it to profiles
As a user I would log in, get to a holding page, have to go refresh email to get the code, enter it in the page
If you wanted an sms or push notification instead of an email we are talking apex, integration and a definite increase in cost
- It’s 2016 and we live in a world where I have apps to plan journeys, video chat friends around the world and even catch pokemon in my own home so obviously now there is an app for two-factor authentication too!
A mobile app for android or apple devices
- Completely redesigned and rebuilt in spring 16
App sends a push notification to your device with the service, device and username details of any login attempt
you simply respond with a tap to approve or reject
Can even use your GPS to automatically verify if it is a trusted location or not
Really easy to setup – little more than a few clicks
Can even be used for other accounts such as email or social media
No code, only config!
Enough theory – let’s dive into an org and do some hands on build
Explain difference between each setting
API e.g. dataloader
User interface e.g Salesforce on browser or SF1
Why a permission set and not just change a profile?
Can be attributed to users with Standard Profiles which you cannot customise
Easier to scale and maintain as all in one place – checking the assignment on a permission set vs checking all profiles!
Can be more precise and specific when rolling out
Learn:Is enough to make an informed decision, does my company know to expect a change
Who to target:
- Which department has most sensitive data? Healthcare, finance….
Which users are most at risk? Travelling sales people, users with multiple devices
Iterate: surveys on user experience, report to senior team, reports and dashboards etc
Trailhead – some really useful notes as well as a challenge to complete so a great resource
Youtube – good first stop with videos to demo functionality
help.salesforce.com – has all the info you could need about 2FA, the salesforce authenticator app and setup steps
Who to target:
- Which department has most sensitive data? Healthcare, finance….
Which users are most at risk? Travelling sales people, users with multiple devices
Iterate: surveys on user experience, report to senior team, reports and dashboards etc