Salesforce has set February 1, 2022 as the start date for enforcing multi-factor authentication (MFA) compliance. Here’s a quick read and some resources to help you make sure that your Provar test automation is ready.
Just the essentials
- MFA is not required for testing applications
- Enforcement will follow a phased implementation schedule
- Notices and License Information (NLI) compliance (1 Feb 2022)
- New org default MFA with admin disable capability (between Sep and Oct 2022)
- Admin disable ends (between May and June 2023)
- MFA is not required for sandboxes (except B2C Commerce Cloud) or scratch orgs (in the FAQ, scroll down to the MFA Requirements for User Types table)
- Mandatory for compliance: Make sure you have Provar-dedicated user accounts (not used for anything else).
- Enabling MFA for this user account is optional. If you choose this option, use a Provar Salesforce OAuth connection.
Salesforce is continuing to work out the specifics of how MFA-exempt user types will be excluded from auto-enablement and enforcement. Provar is watching this closely and will provide updates as soon as the information is available.
- If MFA is enabled for production, new and refresh sandboxes will also have MFA enabled. Check here for more about how to manage MFA for sandboxes.
Planning for MFA with the Salesforce MFA roadmap
February 1, 2022 – NLI compliance
“Starting February 1, 2022, Salesforce will begin requiring customers to enable Multi-Factor Authentication (MFA) for all Covered Services, unless otherwise approved by Salesforce in accordance with Salesforce internal policies and procedures.”
Accounts for test automation tools don’t require MFA (per the MFA FAQ). To be in compliance, you need to make sure that Provar Salesforce connections are set up with user accounts that are used only for Provar. This applies to both the main admin level connections and any logon-as connection.
Between September and October 2022 – Auto Enable
Starting in Fall 2022, Salesforce will begin automatically enabling MFA for all users who log in directly to a Salesforce product’s UI. Until the enforcement phase, admins will be able to temporarily disable MFA.
Between May and June 2023 – Enforcement
When Salesforce enforces MFA for a Salesforce product, it becomes a permanent part of the product’s login process. During enforcement, Salesforce auto-enables MFA for all users who aren’t already using it for direct logins. At the same time, Salesforce removes the option for all customer users, including admins, to disable MFA.
How will Salesforce implement MFA exclusions?
Salesforce is still working out the specifics of implementing exclusions. Provar is tracking this closely and will let you know as soon as Salesforce publishes additional information. Here’s the specific language from the FAQ:
There are several user types, including API/integration, automated testing, and RPA accounts, that aren’t required to use MFA. We’re currently working on plans for how customers can exclude these types of users from future auto-enablement and enforcement milestones. We’ll update this FAQ and your products’ documentation when more information is available.
Where to get more information
- Salesforce MFA Main Page – Includes links to FAQ, Roadmap, Trailblazer Community, and e-book.
- Salesforce Multi-Factor Authentication Assistant – Great tool for guiding MFA setup.
- Notices and License Information – Defines compliance terms for MFA requirements.
- Need more answers? Reach out to your Provar Customer Success Manager or contact Provar support.
Provar is the only solution engineered from the ground up for Salesforce. Take a product tour today.