How MFA Affects Subscriber Support Console Access
Multi-Factor Authentication (MFA) is an easy and effective way to increase user account protection against common security threats like phishing attacks. It does this by adding an additional layer of security to a login process by requiring users to submit two or more pieces of evidence — or factors — to prove they are who they say they are. Effective Feb. 1, 2022, Salesforce contractually requires customers to use MFA for all internal users that log in via the user interface (UI). For more information about the MFA requirement and commonly asked questions, check out this FAQ.
There are several different ways to implement multi-factor authentication in an org to meet the MFA requirement. The Multi-Factor Authentication Quick Guide for Admins is a great place to learn more about MFA, the verification methods Salesforce supports, and how to roll it out in your org using change management best practices.
In accordance with the MFA requirement, the Spring ’22 release enforces the need for partners to log in to the License Management Org (LMO) with MFA to securely access subscriber orgs with the Subscriber Support Console. As the release notes state, this change provides subscribers an added layer of security for managed packages by verifying the identity of users accessing their org. If the partner support user does not authenticate with an MFA high assurance session, they will not be able to access the subscriber org via the Subscriber Support Console.
Configuring MFA
Let’s walk through one way of enabling MFA in your LMO and common issues you may run into as you try to access the Subscriber Support Console. This method is using the Salesforce Authenticator app, which is downloadable from the Apple App Store and Google Play.
- The first thing you need to do is make sure that Multi-Factor Authentication is set as a high assurance session. You can set this by going to Setup and Session Settings. From there, navigate to the Session Security Levels section and add Multi-Factor Authentication as high assurance.
- The next step you need to take is to require users to authenticate using MFA when they log into the License Management Org to use the Subscriber Support Console. You can enable this by profile or permission set by navigating to the profile or permission sets System Preferences section and click the box for “Multi-Factor Authentication for User Interface Logins”. If you are using permission sets, you’ll need to make sure the permission set is assigned to the user.
- Finally, next time your users log in, they will be prompted to set up the authenticator app. The Salesforce login flow will prompt them with the steps as depicted in the image below.
Subscribers can still require a second MFA
As the aforementioned release notes call out, “Starting in Spring ’22, subscribers also have the option of requiring you to complete a second MFA when logging in to their org from the Subscriber Support Console. In this scenario, your login attempt sends an MFA notification to your subscriber, and your login is blocked until your subscriber responds to the notification. By default, the setting that requires a second MFA challenge is disabled. If subscribers require that second layer of security, they must contact Salesforce Customer Support.”
This means that if customers enable this feature in their org, partners will need to coordinate support timelines with the customer so that the customer can provide the authentication code or approve access via the app.
So your users still can’t access the Subscriber Support Console?
Once enabled, you may have users experience an error resulting in being unable to log into the subscriber org. Here are a few reasons why this may occur:
- The user’s current session is not logged in as high assurance. This usually happens when the user was already logged in when MFA was set to the user or when MFA was set to high assurance. The user should log out and log back in to establish the high assurance session.
- Multi-Factor Authentication is not set at a high assurance level. Navigate to Setup -> Session Settings -> Session Security Level to verify that Multi-Factor Authentication is set to high assurance (see step one).
- If you are leveraging an SSO Identity Provider’s MFA service, you’ll need to ensure you set that SSO service as high assurance. You can find instructions on how to do that here.
Summary
Multi-Factor Authentication is a powerful tool to provide security to customer orgs. Make sure that you enable MFA for your support users so that they can properly support your customers.
Need More Help? Check Out These Additional Resources:
Require Multi-Factor Authentication for Logins to Subscriber Orgs (Release Update)
