MFA & Identity Verification in Salesforce Communities

Salesforce is a fantastic platform to bring together all types of users — technology, business, partners, and customers. Since many businesses already use Salesforce, it provides a low-code solution without adding yet another platform to the enterprise. Sales and other business units love Salesforce, so engagement and adoption couldn’t be better. Also, Einstein Analytics provides the eye candy that users are gaga over.

However, Salesforce is not without its challenges and frustrations. For me, the biggest frustration has been with Identity Verification and Multi-factor Authentication (MFA) in Customer Communities. One of the biggest advantages of using low-code solutions is that you don’t have to worry about commodity logic like Identity Verification and MFA, so that’s why it’s been so frustrating.

First, let’s talk about what Identity Verification and MFA are and how Salesforce handles them. Identity Verification links a real/physical user to her digital account. Identity Verification is usually part of the user registration/onboarding process. It reduces the likelihood that a hacker can access an account simply by having access to the invitation link in the welcome email. Simple Identity Verification involves something like asking a user to verify her phone number on record. Complex Identity Verification involves something like credit bureau questions (e.g. At which of the following addresses have you lived?).

While Identity Verification is usually part of the user registration process, MFA is part of the login authentication process. Authentication is the process of proving that a user’s login request is real and not fraudulent. MFA makes authentication more secure by verifying another “factor” other than user credentials. MFA reduces the likelihood that a hacker can access an account simply by knowing a user’s credentials. Common methods of MFA include SMS/text message, authenticator app, and U2F keys.

Salesforce’s implementation of Identity Verification and MFA is limited and flawed. Salesforce’s Identity Verification only offers two options — verify the email address on record or verify the mobile number on record. Salesforce should offer a way to verify user input against a user record field other than Mobile Number. For example, Salesforce should offer a way to verify user input against a custom field like SSN or date of birth. Salesforce should also offer advanced, credit bureau identity verification services via the AppExchange. I see that Onfido is in the AppExchange, but I would be surprised if it works as expected with Customer Communities. Even if it did work as expected, it wouldn’t be suitable for my user population.

Here’s how Salesforce’s Identity Verification works. In order for Salesforce to use SMS verification, the number in the User record Mobile Number field needs to be in the exact format of “+1 2223334444”. Also, an administrator needs to enter the number (technically, the “Admin Trusted Mobile Number” flag needs to be set). Salesforce’s mobile number verification takes precedence over email address verification. In other words, Salesforce will prompt for mobile number verification if a mobile number is on record. Otherwise, Salesforce will prompt for email verification. Email verification doesn’t provide much value though because the user implicitly verifies her email address by clicking the invitation link in the welcome email.

Salesforce’s Identity Verification doesn’t work as expected either. Here’s how Identity Verification should work — Salesforce should only prompt for Identity Verification during user registration. Therefore, Identity Verification should be a one-time event (Identity Verification might also be considered for high-risk transactions, like financial distributions). Also, Salesforce should prompt for Identity Verification before MFA setup. There is no sense in setting up MFA if a user cannot verify her identity.

Here’s how Salesforce’s Identity Verification actually works — If MFA is not enabled, Salesforce does not prompt the user for Identity Verification during user registration. If MFA is enabled, Salesforce prompts for Identity Verification but not until after MFA setup.

It seems that Salesforce has confused Identity Verification with MFA. Salesforce only prompts for Identity Verification upon a new session (e.g. using a new device or browser). In this way, Salesforce’s Identity Verification acts more like MFA than true Identity Verification. Similarly, upon using a new session, Salesforce displays the “Don’t ask again” checkbox on the Identity Verification screen. Thus, Salesforce is confusing Identity Verification with MFA because “Don’t ask again” should only be used for MFA where “Enable Device Activation” is configured.

Like Identity Verification, Salesforce’s MFA only offers two options — authenticator apps and U2F keys. You might even say that Salesforce only offers one MFA option, which is the Salesforce Authenticator app. The options for other authenticator apps and U2F keys are hidden. This is unfortunate because Salesforce Authenticator is a bit confusing since it prompts users for a mobile number for backup. Users think, “If I am already using my phone, why are you prompting me for my mobile number?” The confusion gets worse when Salesforce also prompts for mobile number identity verification. Users think, “Why am I being asked to verify my mobile number twice?”

The biggest gap in Salesforce’s MFA options is that SMS is not an option. I know that SMS is not the most secure MFA option, but it’s better than nothing. Given my user population, enforcing an authenticator app would be impractical. Users should have a choice whether to use SMS, an authenticator app, or a U2F key. Users should also be able to change their MFA methods.

Salesforce’s MFA doesn’t work as expected either. With “Enable Device Activation” configured, Salesforce should display “Don’t ask again” on all MFA challenge screens. In practice, Salesforce only displays the “Don’t ask again” checkbox upon using a new session. So, a user is stuck with the MFA challenge upon every login until she uses a new browser or device.

The beauty of SaaS and low-code services is that they are always improving. Salesforce has shown great promise with their Einstein Analytics product, so I am optimistic that they’ll get these Identity Verification and MFA issues resolved. Keep your fingers crossed!

Passionate about Software Engineering, Finance, and the technology tools that help us in those endeavors.