B2C Commerce Multi-Factor Authentication FAQ

Topics

MFA Enforcement
Enabling and Onboarding
Single Sign-On (SSO)
Additional Information
Glossary

MFA Enforcement

Now that the MFA requirement is in effect, multi-factor authentication will soon become a permanent part of the B2C Commerce login experience.

Starting May 1, 2022 and continuing on a rolling basis through the end of May, Salesforce will enable and enforce MFA for all users who login in directly to B2C Commerce applications.

Here's what to expect when Salesforce enforces MFA:

Admins won't be able to turn off or modify Account Manager MFA settings for their organization.
Users will receive an MFA challenge each time they log in. If a user hasn't already registered for MFA, they'll be prompted to do so before they can get access to their account.

Note: If you use SSO via Salesforce Identity to access B2C Commerce Cloud, Salesforce won't enable or enforce MFA for your SSO identity provider. But keep in mind that the contractual MFA requirement applies to all users who access your Salesforce products through SSO. For more information, see the Salesforce Multi-Factor Authentication FAQ.

What actions do we need to take before Salesforce enforces MFA?

There are some use cases that are exempt from the MFA requirement (as described in the Salesforce Multi-Factor Authentication FAQ ). If any of these situations apply to your implementation, take the following steps before MFA is enforced to avoid potential disruption to your business.

If you use the ROPC grant type, you may need to change to the client credential grant type or authorization grant type. See Password Grant Type Changes for Salesforce B2C Commerce to learn more.
If you use automated user interface testing tools, see How do I use MFA with system users/automated processes? in this article.
If you're planning to use a combination of trusted devices and trusted networks to satisfy the MFA requirement, contact your Salesforce representative.

What if we're not ready for MFA by May 1st 2022?

If you're concerned that you can't be ready for MFA by the May 2022 enforcement milestone for B2C Commerce, reach out to your Salesforce representative. We'll work with you to find a solution.

Enabling and Onboarding

Verifying identities with MFA

MFA is an extra layer of protection beyond a single user name and password. This extra protection can be knowledge (something you know) or possession (something you have). By utilizing an additional factor of identification, such as a mobile phone (something you have), the risk of account compromise is decreased. Depending on the multi-factor authentication (MFA) settings of your organization and your registered MFA verification methods, Account Manager asks you to verify your identity using a supported verification method.

What verification methods are available for Account Manager?

Salesforce Authenticator App: Salesforce Authenticator is a mobile app that can be used with MFA in your Salesforce org or tenant, driving a seamless user experience for your end users. Salesforce Authenticator makes the extra authentication step easy because it automatically integrates into your current Salesforce login process.
WebAuthn-Compliant Security Keys: Security keys are small physical tokens that look like a thumb drive and are easy to carry on a key ring. If a FIDO2-compliant U2F security key has been associated with an account, the security key can be used to verify Account Manager account activities. During verification, the browser prompts to insert the security key into an appropriate port on the computer or mobile device and touch the button.
One-Time Password (TOTP) Generator Apps: Third-party authenticator apps generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm. There are a variety of TOTP authenticator apps available, including many free options. If a TOTP authenticator app (such as Salesforce Authenticator or Google Authenticator) has been connected to an account, the app generates verification codes. This type of code is sometimes called a “time-based one-time (TOTP) password.” The code value changes periodically.

Can MFA be enabled in Business Manager?

No, MFA can't be enabled in Business Manager directly. MFA is enabled in Account Manager.

I'm an admin. How do I enable MFA?

In Account Manager, go to Organization and click on the name of the organization you’re setting up MFA for.

In MFA Verification Method Settings, select one or more of the verification methods that you want to make available to your users:
- Salesforce Authenticator App
- WebAuthn-Compliant Security Keys
- One-Time Password (TOTP) Generator Apps
A user can enable more than one verification method. This provides a backup if the user's primary method isn't available.

In MFA User Settings, select MFA enabled for all users in the organization.

After you enable MFA, the next time your users log in, they'll be prompted to register for MFA by selecting a verification method. They won't be able to access their account until they do so.

Can users register multiple verification methods and decide which to use when they log in?

Yes, if your organization enables additional MFA verification methods, users can register multiple methods for their account. As a precondition, multiple verification methods must be enabled on the organization level. When a user logs in, their first method is triggered. To select a different method, the user clicks Didn’t receive a notification --> OTP Page with Link Choose Another Verification Method.

Can location-based auto-approval be used?

Yes, Salesforce Authenticator provides the option for automatic approvals based on your location. Automated verification works best when Salesforce Authenticator always has access to your precise location and is allowed to run in the background. Your mobile device’s location data doesn't leave the app. Allowing access to your location lets you automate MFA logins when you’re working at your office, home, or other trusted location. Location based auto-approval is available when Enable Additional MFA Verification Methods has been selected.

I have call center employees who can’t have phones while they are working. How do I use MFA?

Account Manager offers three MFA Verification methods (see What verification methods are available for Account Manager?) and not all require a smartphone. Security keys are an available verification method and are PCI compliant. They are also an affordable option at $20 and up.

How often will my users be required to authenticate using MFA?

All of your users need to authenticate with MFA every time they log in.

How can we prevent admins from getting locked out after MFA is enabled?

Make sure your access recovery plan includes steps to help you and your fellow admins if you lose access to your regular verification method(s). Consider these best practices:

Each admin should register at least two verification methods.
Keep a backup security key in a secure place at work, such as a safe.
Establish at least two accounts that have permissions to manage users and MFA settings. This way, if one account is locked out, you can use the other account to restore access.

What is a user loses or forgets their verification method?

B2C Commerce doesn't offer a solution with temporary codes. Encourage every user to register a backup verification method. Consider these approaches:

Each user should register at least two verification methods.
Keep backup security keys in a secure place at work. Security keys are easily transferable.
Consider using a TOTP authenticator browser extension or desktop authenticator app as a backup verification method.
As a last resort, a user can contact their Account Manager admin or Commerce Cloud Support to reset their account. If this happens, the users will need to register a new verification when they log in.

When a user logs in, their first verification method is automatically selected. To use a different method, select Didn't receive a notification. Then, on the OTP page, select Choose Another Verification Method.

How can we test MFA before we roll out to all users?

In Account Manager, your admin can select your preferred verification methods without enabling MFA for the entire organization or a specific role. Select Enable Additional MFA Verification Methods and check the preferred verification methods that work for your business. Do not enable MFA for your entire organization or a specific role. Advise your tester to open Account Manager and Add an MFA Verification Method in Account Manager. Upon the tester’s next login, they will be challenged with MFA. For more information on MFA Verification Method settings, please review our next FAQ. We do not recommend that you test with your own account.

How can we tell which users aren't logging in with MFA?

There isn't a direct way to monitor which login sessions required MFA. But you have two options for getting insights:

Use the MFA adoption report in the Salesforce Commerce Cloud CLI to see which users are and aren't logging in with MFA.
Check your MFA settings. If MFA is enabled for your entire org, you can be assured that everyone is logging in with MFA, without exception. If MFA is enabled at the role level, you can audit your users' logins to B2C Commerce applications. For example, if a 'Business Manager User' logged in 7 days ago and the 'Business Manager User' role requires MFA, then you know that the user received an MFA challenge when logging in.

Do I need to use MFA with B2C Commerce sandboxes?

Sandbox environments for B2C Commerce Cloud are not excluded from the MFA requirement and will be affected when MFA is enforced for B2C Commerce customers.

How do I use MFA with system users/automated processes?

The best practice is to automate processes through the API using API clients. API clients are not affected by MFA that requires user interaction. In contrast to a user password, an API client password does not expire. For more information regarding API access using API clients, see Getting Started with OCAPI.

But there are cases where a Business Manager user context is required, e.g.WebDAV File Access, UX Studio, Agent User Login (i.e. Endless Aisle), OCAPI with a user context, Protected Storefront Access, or user interface testing. If a user context is required, you need to consider three different scenarios:

The system user logs in to an application through the user interface(login page) -- A very common use case is automated user interface testing using tools like Selenium. It is affected by MFA. Please make sure your test tool supports MFA or test the application in an environment that is not protected by MFA. See B2C Commerce: Test Automation with Multi-Factor Authentication for more guidance.
The system user is not authenticated through the user interface (API login), no integration with Salesforce Identity planned -- WebDAV File Access, UX Studio, Agent User Login, OCAPI access with a user context, or Protected Storefront Access are prominent examples for API logins. In these cases, the affected Business Manager user accounts can be linked to Account Manager by Unified Authentication and MFA can be enabled. The user will not be challenged with MFA authenticating via API.
The system user is not authenticated through the user interface (API login), integration with Salesforce Identity planned -- This affects the same use cases as in 2. Affected Business Manager user accounts can be linked to Account Manager by Unified Authentication and can be linked from Account Manager to Salesforce Identity. But instead of the user's password, an Access Key is required to login through the API. The user will not be challenged with MFA authenticating via API. For more information, review our API Access Key document.

Note: To upload code to a Staging instance, a client certificate is required as an additional security factor. For more information, please review Configure Secure Code Uploads.

Does MFA affect integrations between B2C Commerce and products built on the Salesforce Platform?

No, MFA only affects authentication for users who are logging into Commerce Cloud via their browser or the mobile app.

I have implementation partners. Am I responsible for which ones get MFA?

Yes. Follow the process for MFA for each partner user accessing your Business Manager instances.

Sometimes the authentication process is slow and occasionally times out. Any tips?

Here are some troubleshooting tips you can try. Please take one action at a time to validate any change to the slowness:

If you are using Chrome or a Chrome extension, try a different browser. Using a different browser sometimes pinpoints specific login issues.
Clear your browser cache.
Clear cookies.
Disable LastPass.
Disable Salesforce Authenticator Trusted Locations if you are using it.

If none of these actions provide a consistent and timely login, we suggest that you record your login and authentication actions with a screen capture video. Snagit or Quicktime, for example, will provide a view of the url and the resulting changes/progress as well as the amount of time it’s taking. Attach your video to your support case.

Can we change the inactivity timeout to be more than 15 minutes?

In Business Manager, it's important to configure user password restrictions and login lockout policies. All the possible values ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS).

To comply with the PCI DSS standards, users who are inactive for 15 minutes are logged out of their session. With this standard, you cannot increase this timeout value. For more information, review Prioritized Approach for PCI DSS 3.2, Requirement 8.1.8.

Single Sign-On (SSO)

If users log in with SSO from their own identity management system, will they get MFA challenges when accessing Account Manager?

Only during initial setup or during an Account Manager reset. A newly-created user in Account Manager has to authenticate with MFA once in order to link their Account Manager profile to Salesforce Identity. After account linking is completed, MFA verification will be handled by the SSO login process.

Where can I find more information about integrating Salesforce Identity and SSO?

Review the Integrate B2C Commerce with Single Sign-On solution kit for information and details.

Additional Information

Can I turn off MFA after it's been enabled?

If you’re experiencing issues with MFA, please work with Salesforce Support or your Account team to find a resolution.

I use Incognito/Private Browsing windows throughout the day. Will I have to authenticate every time?

There is actually no difference between incognito/private browsing and normal browsing in terms of authentication. As soon as you end the current browser session, you have to re-authenticate.

How do I configure MFA for code uploads?

You can upload custom code, also known as cartridges, to a Staging instance using UX Studio, or with a file transfer mechanism such as WebDAV over TLS. To upload code to a Staging instance, a client certificate is required as an additional security factor.

For more information, review Configure Secure Code Uploads and Generate, Sign, and Use Client Certificates for Secure Code Uploads.

Uploading code to a Production instance is not allowed.

Glossary

Least Privilege: The principle of least privilege is a core zero trust concept. Implementing least privilege means that you give users, applications, systems, and other components only the minimum privilege level they need to do their job. Design granularity into the application to allow for separation of responsibilities within an organization. For example, a user account for the sole purpose of checking analytics does not need permission to manage the product catalog. Managed role-based access control (RBAC) lets you create roles based on a set of permissions. Managing users’ permissions is now as simple as assigning them to their corresponding roles.
Privileged User: Describing a user as 'privileged' is to indicate that their account has been granted a high level of access to an application, which may include permissions to perform security-relevant functions that a typical user wouldn’t be authorized to perform. Under the principle of least privilege, a privileged user would be considered the users with the highest privileges in an application. In Business Manager, users who have write access to these permissions should be considered a privileged user.
Account Manager: Account Manager creates, maintains, and disables Commerce Cloud user accounts. It also grants (or denies) access to selected applications based on the account's credentials. See the Account Manager FAQ. Account Manager is used by two different types of users: account administrators and non-administrative users. Account administrators can do everything non-administrative users can do. Account administrators can also create accounts, disable accounts, and so on. At least one account administrator is assigned to each organization.