The first phase of multi-factor authentication (MFA) auto-enablement is in effect. Salesforce offers more capabilities for SAML single sign-on and certificate-based authentication methods. Manage insecure login flows and consumer secrets with greater visibility and security. Provide your Experience Cloud users with a streamlined and branded identity experience. Log in to Salesforce Easy orgs with an email address, and if you have access to more than one Salesforce Easy org, use the Environment Switcher dashboard to select which org to log in to.
- MFA Auto-Enablement: Find Out When and How Your Org Is Affected (Release Update)
As of February 1, 2022, Salesforce requires all customers to use multi-factor authentication (MFA) when accessing Salesforce products. To help customers meet this requirement, Salesforce is automatically enabling MFA for production orgs in several phases via the MFA Auto-Enablement Release Update. For orgs in the first phase, MFA is auto-enabled with Spring ’23. For orgs in the second phase, MFA is auto-enabled with Summer ’23. - Chatter Free and Chatter External Users Are Automatically Excluded from MFA Auto-Enablement and Enforcement
Salesforce users with the Chatter Free or Chatter External license are exempt from the multi-factor authentication (MFA) requirement. When the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting gets turned on, either by you or by Salesforce, the setting automatically excludes these users. Keep in mind that you may need to exclude other MFA-exempt use cases on your own. - Check the Revocation Status of User Authentication Certificates
Enhance the security of certificate-based logins to Salesforce by checking the revocation status of user certificates. This setting prevents logins with certificates that are revoked or can’t be validated. Before you enable revocation status checks, make sure that your uploaded user certificates contain Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) endpoints. - Insert Consumer Secrets in Authentication Providers Manually in All Change Sets and Packages
Beginning in November 2022, if a change set or package includes an authentication provider with a consumer secret defined, the consumer secret is changed to a placeholder value. You must insert the consumer secret manually after deployment. Beginning with the Spring ’23 release, this change applies to all change sets and packages, including those generated before November 2022. When you import an authentication provider, the consumer secret is treated as a plaintext value, even if the value was encrypted when the authentication provider was created. - Monitor Connected App Logins That Use Insecure Flows
In Login History, view logins into connected apps that use user-agent or username-password login flows. With new OAuth Flow Enhancements, you can monitor use of these insecure flows to determine the impact of blocking them. - Upgrade SAML Single Sign-On Framework (Release Update)
Salesforce is upgrading its SAML framework as part of regular maintenance. This update can affect integrations with third-party systems, such as integrations with SAML identity providers and SAML-enabled applications. This update applies to all SAML-based integrations, including Identity for Employees, and Salesforce Customer Identity, including Experience Cloud. - Take Charge of Your Identity Experiences with Headless Login and Forgot Password Flows
Get ready to create identity experiences that are convenient for your customers and partners and consistent with your brand. With new Headless Identity APIs for Login and Forgot Password, you can control the user experience in a third-party app while relying on Salesforce for authentication. Your users log in, access their data, and manage their passwords without leaving your app. Behind the scenes, your Salesforce implementation uses authentication APIs called via an Experience Cloud site to handle authenticating users, authorizing data access, and resetting passwords. - Simplify Login to Salesforce Easy with Welcome.salesforce.com and the Environment Switcher
Log in to Salesforce Easy by using an email address on welcome.salesforce.com. You can use the Environment Switcher dashboard to select the org that you want to open if you can access multiple Salesforce Easy orgs via a single email address. - Other Changes in the Salesforce Authenticator Mobile App
The Salesforce Authenticator mobile app has new device and version requirements.