What is Salesforce Authenticator?

Salesforce Authenticator explained

Salesforce Authenticator is a mobile authenticator app that enhances the security of the login process by adding an additional layer of protection. Salesforce Authenticator verifies a user's identity by sending a push notification that displays details about the login request (including service, device, and location) on the user's registered mobile device. The notification prompts the user to accept or deny the login attempt or any other action requiring authentication.

By leveraging the convenience of a mobile app, Salesforce Authenticator offers a user-friendly approach to verifying user identities. The push verification method acts as an ideal complement to traditional authentication methods like passwords and SMS-based two-factor authentication (2FA).

How does Salesforce authentication work?

• Initiation: When a user tries to access a service that's integrated with Salesforce Authenticator, a login request is sent to the Salesforce authentication server.
• Push notification: The Salesforce Authentication server sends a push notification to the user's registered mobile device via the service's mobile app.
• User interaction: The user receives a notification with details about the login attempt. The user will verify the push notification and tap it to approve or deny the request. This response gets sent back to the server.
• Verification and access management: The server verifies the response. If approved, the user is granted access; otherwise, the request is blocked.

Advantages of using Salesforce Authenticator

• Convenience: Approving or denying a login request requires just a tap, which makes it more convenient and quicker than entering a password or code.
• Offline access: G enerates a time-based one time password (TOTP) for situations where the user may not have an active internet connection.
• Accessibility: Eliminates the need for physical tokens or security keys—all that's required is a smartphone or mobile device.
• Reduced fraud: Prevents phishing and manipulator-in-the-middle attacks by verifying actions directly with the user.
• Cost-effective: Eliminates the need to purchase and manage security keys.
• Deny suspicious requests: Users can monitor suspicious activity and immediately block access to login attempts they did not initiate.

Disadvantages of using Salesforce Authenticator

• Device dependency: Prevents login access if the registered device is lost or stolen.
• App dependency: Requires installing the Salesforce Authenticator app on the mobile device.
• Potential delays: Delays in push notifications due to network issues could affect timely authentication.
• Risk of MFA fatigue: Attackers may flood users with repeated prompts to trick them into approving fraudulent login requests.

How to secure your accounts if your phone is lost or stolen

If your device is lost or stolen, you'll be unable to log in to the various Salesforce applications that use Salesforce Authenticator. Here are a few steps to follow immediately if your phone is lost or stolen.

• Report the loss: Report the loss to your system administrator to prevent unauthorized use of the device and potentially deactivate it.
• Lock or erase your device: Use a device management service like Find My Device (for Android) or Find My iPhone (for Apple) to lock or erase data on your device remotely.
• Temporarily disable the service: Notify the Salesforce Authenticator support team to disable the authentication service temporarily and switch to another device.
• Update your authentication methods: Access your accounts through alternative authentication methods, such as SMS-based 2FA, and change your passwords.
• Re-register with a new device: Once you have a new mobile device, register it with Salesforce Authenticator.

Use Salesforce Authenticator for MFA through ADSelfService Plus

ManageEngine ADSelfService Plus offers adaptive MFA with 20 different authenticators, including Salesforce Authenticator. You can use MFA to protect endpoints, such as on-premises and cloud application logins, computers, VPNs, OWA, and self-service password management tasks. With ADSelfService Plus, you can customize the MFA authentication process for various user accounts based on their OU and group memberships, allowing you to secure your organization's privileged accounts and activities against cyberthreats.

Configuring Salesforce Authenticator for identity verification

Follow the steps below to configure Salesforce Authenticator as one of the MFA methods for identity verification using ADSelfService Plus.

• Log in to ADSelfService Plus as an administrator.
• Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
• From the Choose the Policy drop-down, select a policy.

  Note: ADSelfService Plus allows you to create OU and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make a selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.

• Click Custom TOTP Authenticator.
• Enter the Authenticator Name, Passcode Length, Passcode Expiration Time, Passcode Hashing Algorithm, and Account Name Format.

  Note: All the values provided as options in the fields mentioned above are supported by Salesforce.

• Upload the Salesforce Authenticator logo image file in the Authenticator logo field.

  Note: If the Authenticator logo is not uploaded, a default logo will be used.

• Click Save.

ADSelfService Plus enables you to configure Salesforce Authenticator as an MFA method for endpoint and application logins and password self-service actions. To learn more about configuration, click here.

FAQ