So this isn’t as much a tip but more of a discussion (welcoming thoughts and comments below). Had a client that wanted 2 factor authentication, but wanted more than just the typical “text me when I login from a different machine” type of security. There’s definitely some considerations here….
So what are options? There’s already what I think is considered 2 factor authentication with Salesforce in that you can login with a username and password, but if a different machine you’ll be texted a number or emailed if you don’t have a cell phone entered for the user. Turn off cookies I guess and it will text them every time. A decent option I guess if you’re really wanting a text every time.
Additionally, you can set up 2 factor authentication by profile so they get prompted for a code EVERY TIME they log in. You may want this, maybe you don’t but that’s up to the security team and whether your users will rebel. Here’s how you do this one:
Go to Setup (you know, the gear icon that we always do), then search for profiles. You can only customize custom profiles (say that 3 times fast) so you’ll have to clone or create a new profile first.
1 ) Click the New Profile button.
2) Select an existing to clone, give it a name and click Save.
3) On the next page there’s a slew of items, I get lost in here all the time but I’ll let you dig around. Scroll down a bit and select “System Permissions”.
4) Scroll way down now, and look for “Two Factor Authentication….”
5) Oops, we have to click edit at the top so we can check this box. No biggie, but you get it. Once you do that (and save it), the users will need to download an app, or have something else connected to them (like a key fob) to use to login.
Like I said, not really going in to too much here, but it’s there and open for discussion. Too much, too little, is there a happy medium? The client in question wasn’t really too happy as they don’t like the authentication app for this or a key fob — however, there’s really no way to have it text you every time like I think they wanted. As I said, maybe the “turn off cookies” is an option.
BTW, here’s the link that really lays it out: https://help.salesforce.com/articleView?id=security_overview_2fa.htm&type=5