Salesforce.com gone phishing

Salesforce.com makes 2FA security a Catch-22 choice for SMEs

The Salesforce.com phishing incident should not come as a surprise to anyone. The growing popularity of the SaaS model means that providers like Salesforce.com, NetSuite and Oracle are managing increasingly sensitive business applications and data for more and more high profile customers. It's too big a honeypot for the Internet Underworld to ignore.

It's really positive that Salesforce.com are now recommending the use of two-factor authentication (2FA) to secure the login to their service, but there is one major flaw: to replace their basic password with a 2FA process you need to enable their 'Single Sign-On (SSO) function. Unfortunately this SSO function is limited in the Salesforce.com Professional Edition - the SME version which is used by the vast proportion of their customer base.

For these customers, SSO is a 'global setting' so it is either 'on' or 'off' for all users. This means that if 2FA tokens are to be deployed - they have to be issued to every single Salesforce.com user; which can be simply too costly.

So for all Pro Edition customers, in order to follow Salesforce.com's security advice, they have an costly Catch-22 choice: either upgrade to the more expensive Enterprise Edition or give everyone 2FA whether they need it or not.

It's a fallacy that only big companies use 2FA, we have hundreds of customers of all sizes using our fully managed two-factor Secure Authentication Service, some with just a handful of users.

It is frustrating that our customers cannot extend the use of their tokens to secure their Salesforce.com accounts too. If Salesforce.com were to make SSO a 'per user' setting on Pro Edition, this would show that they are committed to helping all customers improve their security.

John Stewart

Founder

Signify - The Secure Authentication Service