New features are available to prepare your org for multi-factor authentication (MFA) auto-enablement and enforcement. Your users can now register WebAuthn (FIDO2) security keys as an MFA verification method. Your employees and customers can log in to Salesforce with their Microsoft credentials. You can improve connected app security by rotating the consumer key and consumer secret, and by blocking connected apps from using the OAuth 2.0 username-password flow. As part of regular maintenance, Salesforce is upgrading its SAML framework in Spring ’23, so start testing your SAML integrations now.
- Get Ready for Multi-Factor Authentication Auto-Enablement and Enforcement
The requirement to use multi-factor authentication (MFA) when accessing your Salesforce org went into effect on February 1, 2022. If you haven’t fully satisfied this requirement, keep in mind that in the future we are automatically enabling and enforcing MFA for all direct (username and password) logins to the UI. To avoid disruptions to your business when these actions occur, and to protect your valuable data, we strongly recommend enabling MFA yourself as soon as possible. To speed things up, you can now turn on MFA for everyone in your org at once. And a new user permission lets you exclude use cases that are exempt from the MFA requirement. - Verify User Identity with WebAuthn (FIDO2) Security Keys
To meet the latest authentication standards, Salesforce now supports WebAuthn security keys. Users can register a WebAuthn or U2F security key for identity verification. To maintain compatibility with web browsers, previously registered U2F keys adopt WebAuthn APIs when used for the first time after Summer ’22. - Bypass MFA Challenges for Single Sign-On Auth Provider Logins (Release Update)
This release update was originally enforced in Spring ’22, but the enforcement was unsuccessful for some orgs. Orgs that weren’t enforced in Spring ’22 are now enforced in Summer ’22. MFA challenges are now bypassed for users who are assigned the user permission Multi-factor Authentication for User Interface Logins and are logging in with an SSO Auth Provider. This update was first made available in Winter ’22. - Securely Update Email Addresses and Reset Passwords (Release Update)
This release update was originally enforced in Spring ’22, but the enforcement was unsuccessful for some orgs. Orgs that weren’t enforced in Spring ’22 are now enforced in Summer ’22. To ensure the security of your org, users must reset their password before your changes to their email address and password become active. When a user resets the password using the provided link, the new email address is activated. Previously, the user’s new email address became active as soon as you saved the change, bypassing verification. This update was first made available in Summer ’21. - Login Enhancements for Microsoft
Make it easy for employees and customers to log in to Salesforce by setting up single sign-on (SSO) with a Microsoft authentication provider. Your users can access your Salesforce org or Experience Cloud site with their Microsoft credentials. - Rotate the Consumer Key and Consumer Secret of a Connected App
Improve the security of your connected apps with minimal app downtime. To keep your consumer key and consumer secret fresh, you can swap them with new consumer details. Prepare for the new details by generating staged values and sharing them with your connected app integrations. When you’re ready, apply the new consumer details. - Verify Your Identity to Access Consumer Key and Consumer Secret
To improve security, you’re required to verify your identity before viewing your connected app’s consumer key and consumer secret, also known as the client ID and client secret. On the connected app’s Manage Connected Apps page, you must complete multi-factor authentication (MFA) using one of your registered identity verification methods before you can see the consumer details. You can view the consumer details for up to 5 minutes before you’re challenged to verify your identity again. - Block the OAuth 2.0 Username-Password Flow at an Org-Wide Level
To keep your org secure, you can block all connected apps in your org from using the OAuth 2.0 username-password flow. We recommend blocking the flow so that developers can’t use it to build new integrations. Blocking the flow can break any existing integrations that use the flow, such as managed packages and mobile apps. Before blocking the flow, audit and test your integrations so you can avoid disruptions. - Upgrade SAML Single Sign-On Framework (Release Update)
Salesforce is upgrading its SAML framework as part of regular ongoing maintenance. This update can impact integrations with third-party systems, such as integrations with SAML identity providers and SAML-enabled applications. This update applies to all SAML-based integrations, even when you’re using Identity for Employees or Salesforce Customer Identity, including Experience Cloud.
https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=238&type=5