The purpose of this article is to explain what Multi Factor Authentication (MFA) is and how it benefits the Dealership as added security
By the end of 2023 Multi-factor Authentication (MFA) will become mandatory for all user logins in order to gain access to Blackpurl. Prior to this you can optionally start enabling MFA for your user logins
What is Multi Factor Authentication (MFA) and what is it used for
The simple way to think of it is as additional protection that helps stop all sorts of malicious attackers from getting into systems. To do that, MFA makes you prove that you are who you say you are in more ways than one
Typically, the first “proof” is by providing the correct username and password. After that, you’re prompted to supply a second type of proof that’s different than the first (ie not just another saved password - after all, if your first password was compromised, your second one might have been too!)
That second "proof" can be a scanned fingerprint or a time-sensitive code to type in or even a physical device you plug into your computer like a key. Each of these different forms of proof are a “factor”, which is why this security feature is called MFA
You may have heard of two-factor authentication (2FA) and are wondering if that’s different than MFA - understandably, a lot of people confuse the two:
- 2FA is simply “two forms of proof”
- MFA is “two or more forms of proof”
MFA tends to be a bit stricter about what counts as a different form of proof. A code texted to you after you’ve supplied a username and password is one of the most typical ways to handle 2FA, but a lot of MFA implementations (including Salesforce’s) doesn’t consider text messages secure enough to count as a valid second form of proof. That’s why you won’t see text messages mentioned anywhere else in this document
In essence, MFA is the cyber-security version of “two pieces of ID please”
Why do we need MFA Support in Blackpurl
Salesforce, which Blackpurl operates on, now mandates (but does not yet enforce) that everyone who logs into a Salesforce organization MUST use multi factor authentication
This mandate will lead to Salesforce auto-enabling MFA for users (ETA Jan to June 2023) and eventually “full enforcement” in the second half of September 2023
We need to make sure we have full MFA support in Blackpurl before then, especially since this can be quite a different experience for some users. We don’t want them feeling backed into a corner or surprised at the last moment
Additionally, MFA is a great feature to have and there’s a good reason why all sorts of business, including Salesforce, are mandating it. MFA keeps customer data safe and that’s something we definitely want.
Enabling MFA for a user in Blackpurl
Dealerships now have the ability to start enabling MFA for your users from System Settings > Users
There is a banner that will indicate that MFA is now available on your system but at the moment you still have the option of enabling or disabling per user
To enable MFA for one of your users simply select the pencil icon to access the Edit User screen and move the toggle from NO to YES
What is the end user’s first time login experience after MFA is enabled for them
You can use any of the authentication methods that are supported by your Salesforce products MFA functionality which are:
- Salesforce Authenticator mobile app (available on the App Store or Google Play)
- Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator or Authy
- Security keys that support WebAuthn or U2F, such as Ybico's Yubikey or Googles Titan Security Key
- Built-in authenticators such as Touch IF, Face ID or Windows Hello
If you wish to use the Salesforce Authenticator App as your method of authentication the instructions below describe the user experience:
Regular login screen:
Next the user will be prompted about the Salesforce Authenticator:
If the user has a smart device (phone or tablet) that they’re allowed to use at work, they can follow the instructions here to install the Salesforce Authenticator App. This is going to provide the most hassle-free experience for the user.
After installing the Salesforce Authenticator App, it should look like this:
After selecting "Add an Account"
Type the two word code from the app into the login screen (or use the Scan QR Code option by hitting “Choose Another Verification Method” at the bottom of the login screen):
After hitting connect, in the app, you should see something like this:
For all future logins now, after the user provides their username and password, they’ll get prompted with:
The notification they will receive on their device from the Salesforce Authenticator App and, tapping on it, they’ll see something like:
After a couple of approvals from the same location, assuming the Authenticator has been given the permission to see the user’s location, it will prompt the user with the “Always approve from this location” action
If the user toggles that on and hits ‘Approve’ one last time, the Authenticator will now auto-approve any login the user makes as long as they have they have the device with their Authenticator with them and they are at the location in question