I did the Trailhead about two-factor authentication and was pretty impressed by it. Soon after, I got a request to actually implement it. The timing was unreal. As educational and fun as Trailhead is, actually implementing something often makes you go a bit deeper into the subject.
Definition of two-factor authentication from Trailhead:
What are the two factors?
- Something users know, like their password
- Something users have, such as a mobile device with an authenticator app installed
That second factor of authentication provides an extra layer of security for your org.
As an admin, you can require it every time your users log in. Or you can require it only in some circumstances, such as when users log in from an unrecognised device or try to access a high-risk application. After users successfully verify their identity with both authentication factors, they can access Salesforce and start working.
My requirement was to require users logging in outside the company IP ranges to use two-factor authentication in order to login. This was to provide extra security outside of the office.
While I was researching how to achieve this I found a lot of great resources:
- Two-Factor Authentication
- Restrict When and Where Users Can Log In to Salesforce
- Set Two-Factor Authentication Login Requirements
- Customise and Manage User Authentication with Login Flows
I discovered that I needed to create a specific login flow for people logging in outside the company-approved IP ranges.
I’d never created a login flow and wasn’t quite sure where to start. Before I did too much exploration into creating one from scratch, I found an unmanaged package that includes sample login flows. One of the pre-built flows it included matched my requirement exactly.
In the setup search menu, search for “Login Flows” and then once you find it, click “New.” Find the pre-built flow called “Conditional_Two_Factor.” Specify which user license and profile and that’s it. Super straightforward, right?
After that I had the users install the Salesforce Autheticator app on their phones and created a help doc for them. I’ll share the help doc in a future post.