Securing Salesforce Account

Access with MFA and SSO

June 8, 2021
Forward-Looking Statement
Statement under the Private Securities Litigation Reform Act of 1995:
This presentation contains forward-looking statements about the company’s financial and operating results, which may include expected GAAP and non-GAAP financial and other
operating and non-operating results, including revenue, net income, diluted earnings per share, operating cash flow growth, operating margin improvement, expected revenue
growth, expected current remaining performance obligation growth, expected tax rates, the one-time accounting non-cash charge that was incurred in connection with the
Salesforce.org combination; stock-based compensation expenses, amortization of purchased intangibles, shares outstanding, market growth and sustainability goals. The
achievement or success of the matters covered by such forward-looking statements involves risks, uncertainties and assumptions. If any such risks or uncertainties materialize or if
any of the assumptions prove incorrect, the company’s results could differ materially from the results expressed or implied by the forward-looking statements we make.
The risks and uncertainties referred to above include -- but are not limited to -- risks associated with the effect of general economic and market conditions; the impact of geopolitical
events; the impact of foreign currency exchange rate and interest rate fluctuations on our results; our business strategy and our plan to build our business, including our strategy to
be the leading provider of enterprise cloud computing applications and platforms; the pace of change and innovation in enterprise cloud computing services; the seasonal nature of
our sales cycles; the competitive nature of the market in which we participate; our international expansion strategy; the demands on our personnel and infrastructure resulting from
significant growth in our customer base and operations, including as a result of acquisitions; our service performance and security, including the resources and costs required to
avoid unanticipated downtime and prevent, detect and remediate potential security breaches; the expenses associated with new data centers and third-party infrastructure
providers; additional data center capacity; real estate and office facilities space; our operating results and cash flows; new services and product features, including any efforts to
expand our services beyond the CRM market; our strategy of acquiring or making investments in complementary businesses, joint ventures, services, technologies and intellectual
property rights; the performance and fair value of our investments in complementary businesses through our strategic investment portfolio; our ability to realize the benefits from
strategic partnerships, joint ventures and investments; the impact of future gains or losses from our strategic investment portfolio, including gains or losses from overall market
conditions that may affect the publicly traded companies within the company's strategic investment portfolio; our ability to execute our business plans; our ability to successfully
integrate acquired businesses and technologies, including delays related to the integration of Tableau due to regulatory review by the United Kingdom Competition and Markets
Authority; our ability to continue to grow unearned revenue and remaining performance obligation; our ability to protect our intellectual property rights; our ability to develop our
brands; our reliance on third-party hardware, software and platform providers; our dependency on the development and maintenance of the infrastructure of the Internet; the
effect of evolving domestic and foreign government regulations, including those related to the provision of services on the Internet, those related to accessing the Internet, and
those addressing data privacy, cross-border data transfers and import and export controls; the valuation of our deferred tax assets and the release of related valuation allowances;
the potential availability of additional tax assets in the future; the impact of new accounting pronouncements and tax laws; uncertainties affecting our ability to estimate our tax
rate; the impact of expensing stock options and other equity awards; the sufficiency of our capital resources; factors related to our outstanding debt, revolving credit facility, term
loan and loan associated with 50 Fremont; compliance with our debt covenants and lease obligations; current and potential litigation involving us; and the impact of climate change.
Further information on these and other factors that could affect the company’s financial results is included in the reports on Forms 10-K, 10-Q and 8-K and in other filings it makes
with the Securities and Exchange Commission from time to time. These documents are available on the SEC Filings section of the Investor Information section of the company’s
website at www.salesforce.com/investor.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements, except as required by law.
Logistics and FAQ

How can I ask a question?

Please ask Zoom Q&A widget -- we will respond
to as many as we have time for!

Will this be recorded?

Yes.
Where can I watch the recording?
We’ll send an email a day or two after this
presentation
Where can I download the presentation?
You’ll get a link in your inbox

Where can I go to get more information?

Register for the Ask an Expert session on June
22
Your Guides

Ben Felsing Mat Hamlin Anne Crawford Adam Rosenzweig

Customer Success Manager Sr. Director of Product Management Manager, Customer Senior Manager, Product Impact
Adoption Programs Okta
Agenda

Introduction to MFA with Salesforce

Your MFA Journey

Demo: Set Up MFA and Monitor User Adoption

SSO & MFA with Okta

Resources

Q&A
 At Salesforce, we understand that the confidentiality,
integrity, and availability of your data is vital to your business,
and we take the protection of your data very seriously. As
security threats grow increasingly common, it’s essential to
implement stronger measures of security to protect your
customers and your business.
Protecting Data is a Partnership

Salesforce Customer
Salesforce Customer
Prepare customers for an Adopt the latest security
evolving threat landscape. controls and features
available.
Provide solutions that
enable the customer to Continually monitor user
keep their data secure. behaviors and event logs.

Educate customers on the Protect sensitive customer

need and options for data in alignment with
enhanced security. compliance standards.
Introduction to MFA
Multi-Factor Authentication (MFA) Requirement
Starting February 1, 2022, Salesforce will begin requiring customers to use
MFA in order to access Salesforce products through the user interface.

How can customers satisfy the MFA requirement?

To ensure that MFA is enabled for all your internal Salesforce users, you can:

Turn it on directly in your Salesforce products, or

Use your SSO provider’s MFA service

Enhance the Security of Your Business
Secure user accounts with Multi-Factor Authentication (MFA)

MFA

Something you know Something you have

Login Credentials Authenticator App Enabling MFA is one of the
Security Key easiest, most effective
actions you can take to
help secure your org(s)
How MFA Helps Prevent Common Attacks
MFA can prevent some of the most prevalent types of attacks

Attacker sends an Phishing, vishing, smishing

email to the target
Spear phishing
Keyloggers

Attacker collects Target clicks on the Credential stuffing

target's email which goes
username/password to a phishing
Brute force attacks
Phishing website
Website Man-in-the-middle (MITM)
attacks

Attacker denied
access to target's
account thanks to
MFA
 MFA and Other Authentication Methods

Device Activation* MFA Single Sign-On (SSO)

Verify logins from new devices Secure your accounts Secure your apps

Logins from unrecognized Every login Log in once to access

browsers or applications multiple apps
Requires a strong verification
Requires a verification method to verify identity Reduces password-related
risks
method to verify identity

* Available in Marketing Cloud—Email, Mobile, & Journeys and

products built on the Salesforce Platform
Required: MFA
Easiest user experience: MFA and SSO
Clouds that Support MFA Today
As of Spring ‘21

Sales Cloud MuleSoft Marketing Cloud Industries Products

Audience Studio Consumer Goods Cloud

Service Cloud Platform
Education Cloud
Datorama
Analytics Cloud Heroku
Email, Mobile, & Financial Services Cloud
Journeys
Experience Cloud Government Cloud
Pardot
Salesforce Health Cloud
Anywhere/Quip Commerce Cloud Social Studio
Manufacturing Cloud
Salesforce Essentials B2B Commerce
Nonprofit Cloud
Salesforce Field
B2C Commerce
Service Philanthropy Cloud
Strong Verification Methods for MFA
Salesforce supports these types of verification methods

Salesforce Third-Party Security Keys Not Supported

Authenticator Authenticator SMS (Text) verification
Mobile App Apps Phone call verification
Email verification

x x
Fast Such as: Such as:
free authentication Okta Verify Yubico’s YubiKey
sfdc.co/IntrotoAuthenticator Google Authenticator Google’s Titan Security Key
Microsoft Authenticator
Authy
Salesforce Authenticator
Fast, frictionless, free authentication
Salesforce Authenticator is a mobile app that can be used
with MFA in your Salesforce org or tenant, driving a seamless
user experience for your end users.

Salesforce Authenticator tells the user:

● What action needs to be approved
● What user is requesting the action
● From which service is the requested action coming
● What device the user is using
● From what location would the user approve or deny this request

With this information, the user can simply tap the "Approve"
or "Deny" button to execute the decision, completing
authentication quickly as part of their login process.
Third-Party Authenticator Apps
Salesforce supports any authenticator app that generates temporary
codes based on the OATH time-based one-time password (TOTP)
algorithms (specified in RFC 6238).

To log in with this type of verification method, get a code from the
app, then enter that code during the Salesforce login process.

TOTP apps don’t require a data or internet connection.

Widely-Used Apps

Microsoft Authy Google

Authenticator Authenticator
Security Keys
Easy-to-use hardware solution provides an
Supported form factors:
alternative to mobile app verification methods
USB-A, USB-C, Lightning, NFC*
● Works out of the box — no software to install
● Strong public-key cryptography that’s bound to a Supported browsers for WebAuthn keys:
user’s account and the Salesforce domain Chrome, Edge, Firefox, Safari
● Resistant to malware and man-in-the-middle attacks
Supported browsers for U2F keys:
Chrome, version 41 or later
Logging in with a security key is simple
● Connect a security key to the computer Products that support security keys:
● Press the key’s button to verify your identity ● Products built on Salesforce Platform**
● B2C Commerce Cloud
Use any security key that’s compatible with the FIDO U2F or ● Marketing Cloud—Email, Mobile, &
WebAuthn (FIDO2) standards, including Yubico’s YubiKey or Journeys
Google’s Titan Key.

* NFC devices are currently supported in B2C Commerce Cloud, Marketing Cloud—Email,
Mobile, & Journeys, MuleSoft Anypoint Platform, and Quip sites only.
** Products built on the Salesforce Platform support U2F-compatible keys only.
How to Prepare for
and Roll Out MFA
The Recommended Path to MFA

Manage
Collect feedback and monitor
adoption metrics
Get Ready
Troubleshoot issues and support
Evaluate business and user users
Roll Out
requirements Optimize your overall security
Inventory users, roles, and Kick off change management strategy
permissions activities

Plan rollout, change management, Distribute verification methods

and support strategies to users
Enable MFA
Help users register and log in
with a verification method
Meet the Multi-Factor Authentication Assistant
Your central hub for delivering MFA to your users

Available from Setup in Lightning Experience,

the Assistant guides you through a
recommended process for a successful MFA
rollout. Step-by-step guidance is divided into
three phases for easier manageability.

Use the Assistant as a checklist

for tracking completed tasks
and overall progress.

Each step includes

supporting resources or
tools to help you take
action.
 Demo #1
Set Up MFA for Sales Cloud
 Demo #2
How to Monitor User Adoption
SSO & MFA
with Okta
 Okta for Good
You’re on a mission.
We’re here to help.

© Okta and/or its affiliates. All rights reserved. Okta Confidential

Okta enables anyone to safely use any technology
 © Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only

© Okta and/or its affiliates. All rights reserved. Okta Confidential 26

 Okta Single Sign-on (SSO)
• Every app, one screen
• Seamless user experience
• Reduce “helpdesk” calls

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only

© Okta and/or its affiliates. All rights reserved. Okta Confidential 27

 7,000+ pre-built integrations

No building, no coding.

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only

© Okta and/or its affiliates. All rights reserved. Okta Confidential 28

 Give your users a first-class experience
Easy to configure Fully customizable

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only

© Okta and/or its affiliates. All rights reserved. Okta Confidential 29

 Okta Multi-factor Authentication (MFA)

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only

© Okta and/or its affiliates. All rights reserved. Okta Confidential 30

50 free licenses

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only
Pick your factor(s)

Mobile authenticators U2F Tokens Biometrics

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only
Your deployment path
No MFA
− Foregoing baseline security
− Leaves the organization
vulnerable to the most common
threats
Okta Adaptive MFA
− Contextual access policies
− Device security posture checks
− Risk-based policies
Okta MFA − Passwordless
− Supports a variety of factors
− Flexible enrollment policies
− Enforce across different resource
types including cloud apps,
on-prem apps, servers, VPNs, and
custom apps
© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only
Okta for Nonprofits
● 50 free licenses for all Workforce Identity products (incl. SSO and A/MFA)

● 50% off additional products, licenses, and instructor-led training

● Eligibility for Pro Bono Professional Services

okta.com

© Okta and/or its affiliates. All rights reserved. Confidential Information of Okta – For Recipient’s Internal Use Only
Learn More About MFA
Take security to the next level

MFA for Salesforce MFA Admin Rollout Launch MFA to Your MFA Trailblazer
Site Guide (eBook) Users (Video) Community (Group)

Join the MFA discussion in the MFA - Getting Started Trailblazer Community
Expert Volunteers to Help You Adopt MFA
Leverage the Salesforce.org Pro Bono Program!

Schedule a free 90-minute consultation with an expert to help your organization

Enable Multi-Factor Authentication. Learn, get enabled on resources and best
practices, and plan for rollout!

To Get Started:
1. Submit an application here: www.salesforce.org/probono
2. When completing the application, choose the Data Security Design project
type and title your project MFA Adoption Support
3. In the Employee Referral field, list Ben Felsing and his
email address bfelsing@salesforce.com
4. Once submitted, you’ll be matched with an expert
to schedule your consultation call
Questions?