Understanding and Enabling Multi-Factor Authentication (MFA)

Overview

Practifi is built on the Salesforce platform, and as your technology partner, we work diligently to ensure any Salesforce enhancements and changes are well understood in advance. Salesforce has announced their intention to make enabling multi-factor authentication (MFA) mandatory. Many Practifi clients have already enabled this feature as part of their security protocols to protect sensitive client information, maintain compliance standards, and safeguard firm operations.

If you are unsure whether this feature is enabled, this article outlines the future impacts on your users and security configurations.

• About MFA
• Upcoming Changes
  • What happens after MFA is auto-enabled
  • Grace period
  • After MFA enforcement
• MFA Recommendations
• Enabling MFA in Your Practifi Organization
• Handling Lost or Replaced Devices

About MFA

MFA adds another layer of security to your login process by requiring users to enter two or more pieces of evidence—or factors—to prove they are who they say they are. The first factor is the username and password. The second factor is an authenticator app, which can be installed on a user’s mobile device.

For wealth management firms, MFA helps protect client portfolios, personal financial data, and confidential documents from unauthorized access while supporting regulatory compliance requirements.

Upcoming Changes

Salesforce began MFA enforcement in their May/June 2023 release. System Administrators in Practifi could disable MFA in Settings until that point, as only auto-enablement in MFA occurred in January and not MFA enforcement.

What happens after MFA is auto-enabled

After MFA is auto-enabled in your organization, users are prompted to provide a verification method in addition to their username and password each time they log into Practifi. Verification methods include authentication apps, security keys, and built-in authenticators like Windows Hello or Touch ID. If users haven't registered a method, they will be guided through the simple process at their next log-in.

Grace period

There is a 30-day grace period where users can skip registration and log in to Practifi without using MFA. The grace period begins on the day MFA is auto-enabled in your organization, and the same 30-day window applies to all users of the Practifi organization.

After MFA enforcement

When MFA enforcement occurs in Salesforce’s release, System Administrators will not be able to turn off the “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” setting. Users will receive an MFA challenge each time they log in directly with their username and password and must complete it. Users who weren’t already using MFA will be prompted to register for it when they log in and will not be able to access their Practifi account until they do so.

MFA Recommendations

There are many options for multi-factor authentication. You may already have a firm-wide approach that includes authenticator apps provided by Salesforce or third parties, physical keys, or authenticators built into your device’s operating system, such as Touch ID.

At this time, we highly recommend the Salesforce Authenticator App. The Salesforce Authenticator App is available for Android and iOS devices and offers the following benefits:

• End users can click Approve on the push notification instead of typing in the rotating code, reducing friction during client meetings and time-sensitive workflows.
• We believe this app is most likely to stay aligned and compatible with future authentication changes to the Salesforce platform.

Please note: Users are not required to use the Salesforce Authenticator app. Furthermore, not all users in your organization must use the same authenticator app. Authenticator requirements are left up to your firm’s discretion based on your security policies and compliance needs.

Enabling MFA in Your Practifi Organization

To enable MFA in your organization, Practifi Administrators can add the MFA Permission Set (Practifi - Login - Enforce two-factor authentication) to each user. For assistance with managing permission sets, please review our Adding and Removing User Permissions article.

This Salesforce Help article will guide you through the steps to enable multi-factor authentication (MFA) in your Practifi organization.

If you need assistance, contact us via the Practifi Success Portal, and our team will guide you through the implementation process to ensure a smooth rollout across your organization.

Handling Lost or Replaced Devices

If a user loses the device they use for MFA or gets a new device, it is recommended that they disconnect the previous verification method and then re-register. This ensures uninterrupted access to client information and firm systems.

Please refer to the Salesforce documentation on disconnecting and registering verification methods for step-by-step instructions.