Cruising through MFA in Salesforce(WI22+)
Salesforce MFA is finally upon us, with proper implementation reportedly starting from February 2022. These features are expected to be baked into some of the salesforce profiles which has left the community in splits wondering if an extra layer of security would become cumbersome and counter-productive in the long run.
Salesforce has acknowledged that currently, it has no privilege escalation features to bypass this, which has left the UI-based automation testing paradigms in a conundrum as most of these automations do not support any mechanism to retrieve passphrases, TOTPs. According to salesforce documentation, MFA isn’t required for RPA automations or API-based logins but is subject to precaution and care. However if in case your automation users use a profile that is shared by other users it might result in extra effort to segregate this pool of Non-MFA users.
Unfortunately, the list of issues is growing as per orgs and there is a considerable group of users who share their own perspective of looking at this feature as something along the redundant lines. So, what can we do? Fortunately, salesforce allows us to implement different MFA solutions like salesforce authenticator, third-party authenticators subject to token compliances, security key etc. Do any of these potentially allow us or an UI automation script to complete an MFA without having to move away from the screen? The answer is Yes. But as every great thing yields a cost in our case this translates to withdrawing the level of security by a tiny bit.
Let us get this straight, None of the methods which will be discussed here bypasses MFA as this would require an IAM or PAM to be in place which could further mean integration of some level. We would be exploring different flavors of the same feature with variations that may suit different organizations looking for a seamless transition to MFA. The three ways I am discussing here are: Einstein automation, browser-based extension and a custom MFA solution.
Method 1: Using Einstein Automation in Salesforce Authenticator App
Salesforce authenticator is the most recommended way of implementing MFA by salesforce. It is maintained by salesforce itself and future updates may be directed towards easing the life of users for MFA adoption through the App. However, as of today, there is still a very interesting feature that can be used to mimic a 1FA via the App. This feature is called Einstein automation.
To enable this feature inside you need to launch the authenticator app and tap on the top left corner gear icon. This will launch the settings screen. Under advanced settings, you can tap automation settings. Inside it is a simple button waiting for you to toggle it active. Once activated on the next login when the prompt arrives, you will receive a small checkbox on the same screen to allow location-based approval. Set your location settings to high on your phone which uses WIFI, GPS or Bluetooth. Once you approve a login request your current location is added to a list of approved locations. The next time when you receive a login prompt on the same location it automatically approves the request instantly, hence behaving like a 1FA. You don’t even have to touch your phone once you have set it up. And there is more, the system will distinguish login approvals from others. So while connecting a third-party authenticator, when you receive a prompt to approve a 3rd party authenticator from the same location this will not be location approved unless you want it to be.
When you click on your saved tokens, you can see the approved locations, the login history from approved locations with place/time and how many times the automation has approved the login in total. Keeping things in perspective of UI automations, this means that one device can be used to auto-approve the requests coming in for login and the UI automation doesn’t have to do anything fancy. However, I am not sure how scalable this method is and how response latency increases with increasing parallel requests but is a very cool feature otherwise for small to medium use cases.
Method 2: Use Browser based TOTP authenticator extensions which display on the same screen
The salesforce authenticator is certainly promising, however, it is tricky to be adjusted in existing UI automations as latency issues while doing bulk logins may result in automations failing. As such, we continue to strive in our efforts to get ourselves into our orgs without having to leave the same screen/device we arrive at another interesting feat in browser-based extensions, thanks to a few humble folks and companies. 2FA and Authenticator are two such browser-based extensions from a list of many free authenticators. These tools are tailored for just the job and requires just a couple of clicks to added to existing automations to create a smooth login. And to add to its list the tokens are secured by login and highly scalable to fit a large number of automations running in parallel.
To set up such a seamless MFA experience, you need to enter your user detail page in salesforce setup and disconnect any existing authenticators(including salesforce authenticators if possible) This can be done by clicking ‘Disconnect’ in the App Registration fields in your user detail page. Pin the browser extension near the address bar for accessibility and login to the extension(if required). Set the timeout duration in the extension settings(if applicable). Click connect on the App Registration: One-Time Password Authenticator section. A page will render with a QR code. Your authenticator plugin will have an option for grabbing the QR from the active screen. The QR contains encoded information about the username and shared secret. This will be automatically added as a token in your authenticator plugin.
And now finally the relief for the automation guys. While logging in to an org only a minor tweak needs to be made to just click the appropriate token in the extension window which will automatically enter the code in place for verification and that is it. For normal users as well, you are now one click away from getting your passcode right where you want it without having to move anywhere else. We can have any number of users we want with their respective tokens all in one place and the automation can easily be adjusted according to the org. However, if for some reason your authenticator doesn’t provide you the privilege of capturing the QR info, no need to panic as you might want to have a look at the next approach.
Method 3: My authenticator doesn’t read QR-Do it the Salesforce way!!
If you happen to find yourself using a desktop, browser or a mobile authenticator which presently as of this post can’t read QR like Twilio Authy for desktop, don’t let your automation hopes take a turn. If you know salesforce, there is always an object. Yes, this MFA is captured in a standard salesforce object known as ‘TwoFactorInfo’.
In order to set up this custom MFA experience, you need this one system permission: Manage Multi-Factor Authentication in API. You won’t be able to query the above object without this permission. Consider adding a permission set on your user if for some reason you are unable to add this to your profile. This can be revoked later as this is required for a one-time setup. It is a best practice to have your salesforce and other authenticators disconnected on your user detail page before proceeding.
Open developer console and execute the following lines in a Anonymous window with open logs option checked:
Map<String, String> codeResult = Auth.SessionManagement.getQrCode();
String AuthResult = codeResult.get(‘secret’);
System.debug(AuthResult);
This just satisfied that Apex Power-user ego. Open execution logs and get the AuthResult from the statement above. Open workbench/data loader and upsert the following record in the TwoFactorInfo object:
SharedKey: xxxxxAxxxxxBxxxxxxC
Type: TOTP
UserId: <Your salesforce userID>
After this step is successful, you should receive an email on the registered email ID on your user record, stating that a new verification method has been added. Enter this SharedKey in your authenticator app secret input and save your token. Select a 6 digit token length if prompted. Your authenticator should start spewing the codes any moment now. Try to login now and you should receive a prompt to enter verification code which can easily be copied from the app to your screen.
Bonus: Use external IAM/PAM solutions to customize your authentication Flow
So far we have seen changes that can be made at an individual level, with minimal changes at org level. But at enterprise level, this solution wouldn’t be ideal and can have security implications. Thus, if it is possible for some organizations to use external IAM, it would be a very plausible solution. The features of these external Identity Providers vary from one provider to another but they all have many similarities including centralized access, role based logins, logs etc. One Identity is a reputed industry standard IAM which offers many different connectors to cloud applications including SAP, Azure AD, service now, etc. It uses Identity manager which provides some native and Generic connectors but when paired with starling connect( a cloud service) it can be extended to many SAAS applications. Although MFA might also be present in such systems, but there is a finer granularity to escalate privileges of some accounts in this regard.
We have now explored different ways to do the same task each with its own set of plaudits and also the ability to retrieve the secret from salesforce means that there is scope for developing more customized solutions for automation advocation and acceptance including your own authenticator. This is all you can eat from salesforce MFA as of this post. If you have learnt anything new, show no mercy in spreading this post.
