The purpose of this article is to explain what Multi Factor Authentication (MFA) is and how it benefits the Dealership as added security
What is Multi Factor Authentication (MFA) and what is it used for
The simple way to think of it is as additional protection that helps stop all sorts of malicious attackers from getting into systems
To do that, MFA makes you prove that you are who you say you are in more ways than one
Typically, the first proof is by providing the correct username and password
After that, you will be prompted to supply a second type of proof that is different than the first (ie not just another saved password - after all, if your first password was compromised, your second one might have been too!)
That second proof can be a scanned fingerprint or a time-sensitive code to type in or even a physical device you plug into your computer like a key. Each of these different forms of proof are a factor, which is why this security feature is called MFA
You may have heard of two-factor authentication (2FA) and are wondering if that’s different than MFA - understandably, a lot of people confuse the two:
- 2FA is simply - two forms of proof
- MFA is - two or more forms of proof
MFA tends to be a bit stricter about what counts as a different form of proof. A code texted to you after you’ve supplied a username and password is one of the most typical ways to handle 2FA, but a lot of MFA implementations doesn’t consider text messages secure enough to count as a valid second form of proof. That’s why you won’t see text messages mentioned anywhere else in this document
In essence, MFA is the cyber-security version of two pieces of ID please
Why do we need MFA in Blackpurl
Salesforce, which is the platform that Blackpurl operates on, is mandating that everyone who logs into a Salesforce organization MUST use multi factor authentication
MFA keeps customer data safe and that’s something we all definitely want
For our USA Dealerships, we also need to comply with the rules issued by the Federal Trade Commission (FTC) on protecting customer information
Further information can be sort from this link - FTC
What is important to note, as it says on the FTC page, is that Financial Institutions applies to a much broader group of companies than many would think
For us, that means that if a dealer does anything at all around allowing a customer to finance a sale, even if the dealer isn’t actually providing the financing (or lease a unit) then they are considered to be a Financial Institution under the definition
You can see on the list of obligations under Safeguard, MFA is listed
For the size exception to the Safeguard (under 5K customers) you can see that many of the requirements still apply (including MFA) This means that even our smaller dealerships are subject to them
Really though, this is just another reason why we deem MFA a mandatory feature – even if FTC Safeguards does not directly apply to your dealership (ie non USA or cash only), it just reinforces yet again how risky it is to operate your business without a foundational security precaution
That is why more and more software providers require it (ie SalesForce) to prevent data breaches and to limit the inevitable legal liability if a breach does occur
Which Authenticator to use
Once you are ready to setup your MFA, work out which authenticator your Dealership is going to use and have it ready to go
This is one part of the process that Blackpurl Support cannot assist with - if you are having issues with what authenticator to use, reach out to your IT
Your Dealership can use any of the authentication methods that are supported by your Salesforce products MFA functionality and whilst we do not recommend any particular Authenticator, these are a few that the Dealership (or your IT) can select from:
- Salesforce Authenticator mobile app (available on the App Store or Google Play)
- Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator or Authy (which can be downloaded on your mobile device or onto your desktop)
- Security keys that support WebAuthn or U2F, such as Ybico's Yubikey or Googles Titan Security Key
- Built-in authenticators such as Touch IF, Face ID or Windows Hello
Keep in mind that Blackpurl will be unable to support and/or assist with your setup and /or any issues with the Authenticator that your Dealership elects to use
If the Dealership is running into issues with the Authenticator then they will need to contact their IT
Enabling MFA for a user in Blackpurl
Please have your authenticator setup and ready to go
Dealerships will need to decide which authenticator they are going to use and have it setup
Setting up your authenticator is one part of the process that Blackpurl Support cannot assist with - if you are having issues setting up your authenticator, you will need to reach out to your IT team
Once you have your authenticator setup up, you need to enabling MFA for your users from System Settings > Users
There is a banner that will indicate that MFA is now available on your system but once you have enabled it, you will not be able to disable
To enable MFA for one of your users simply select the pencil icon to access the Edit licensed user screen and move the toggle from NO to YES
Don't forget to 
Further information on which Authenticator to use
We would suggest that your Dealership (or your IT) have your selected Authenticator organised prior to switching on the MFA in and ready to go
Your Dealership can use any of the authentication methods that are supported by your Salesforce products MFA functionality and whilst we do not recommend any particular Authenticator, these are a few that the Dealership (or your IT) can select from:
- Salesforce Authenticator mobile app (available on the App Store or Google Play)
- Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator or Authy (which can be downloaded on your mobile device or onto your desktop)
- Security keys that support WebAuthn or U2F, such as Ybico's Yubikey or Googles Titan Security Key
- Built-in authenticators such as Touch IF, Face ID or Windows Hello
Keep in mind that Blackpurl will be unable to support and/or assist with your setup and /or any issues with the Authenticator that your Dealership elects to use
If the Dealership is running into issues with the Authenticator then they will need to contact their IT
Salesforce Authenticator App
If you wish to use the Salesforce Authenticator App as your method of authentication the instructions below describe the user experience, please pass this information to your IT person:
Regular login screen:
Next the user will be prompted about the Salesforce Authenticator:
If the user has a smart device (phone or tablet) that they’re allowed to use at work, they can follow the instructions here to install the Salesforce Authenticator App. This is going to provide the most hassle-free experience for the user.
After installing the Salesforce Authenticator App, it should look like this:
After selecting "Add an Account"
Type the two word code from the app into the login screen (or use the Scan QR Code option by hitting “Choose Another Verification Method” at the bottom of the login screen):
After hitting connect, in the app, you should see something like this:
For all future logins now, after the user provides their username and password, they’ll get prompted with:
The notification they will receive on their device from the Salesforce Authenticator App and, tapping on it, they’ll see something like:
After a couple of approvals from the same location, assuming the Authenticator has been given the permission to see the user’s location, it will prompt the user with the “Always approve from this location” action
If the user toggles that on and hits ‘Approve’ one last time, the Authenticator will now auto-approve any login the user makes as long as they have they have the device with their Authenticator with them and they are at the location in question
Google Authenticator App
If you wish to use the Google Authenticator App as your method of authentication the instructions below describe the user experience, please pass this information to your IT person:
If you have SalesForce has auto enabled the SalesForce Authenticator but you wish to use the Google Authenticator App, please ask BP Support to disconnect the SalesForce Authenticator
Please note that we will not be turning off MFA - all we are doing is disconnecting the SalesForce Authenticator for you to setup the Google Authenticator App
Then the next time you log into Blackpurl, click on 
User selects ‘Use verification code from an authenticator app’ and clicks on the ‘Continue’ button
It opens a new screen to connect to the authenticator app and displays a QR code that User needs to scan from the mobile device using an authenticator app (Example - Google authenticator)
Now, on mobile device User needs to go to the Google authenticator app and click on the ‘+’ icon to add a new account where he will see an option to scan the QR code
User clicks on ‘Scan a QR code’ that adds the account in the authenticator app
An authentication code is displayed which is used when the User tries to login to Salesforce again
After successful verification of the code, User is logged in to Salesforce account
Using the Security Keys Method
Once MFA is enabled, on the next login this is the screen that should pop up for you to click on - Choose Another Verification Method
to finish the process
the Security Key will be verified as the MFA method on the account