Test Automation and Salesforce MFA – don’t worry, we’ve got you covered!

MFA - Multi-Factor Authentication requires users to validate their identity with two or more forms of evidence, such as their…

Author Avatar
By Orly Shectman,

MFA – Multi-Factor Authentication requires users to validate their identity with two or more forms of evidence, such as their username and password combination. Other factors include verification methods the user has in their possession. While a password may be compromised, it’s improbable that a bad actor can access a robust verification method like a security key or authentication app.

Salesforce has set February 1, 2022, as the start date for enforcing multi-factor authentication (MFA) compliance. The Salesforce Product’s terms of service reflect this requirement. 

Salesforce’s MFA exceptions

Not all customers will be ready for MFA, so Salesforce will initially permit administrators to disable it. However, this is only a temporary workaround that Salesforce expects to remove by the Fall of 2022. 

Initially, Salesforce will not require MFA for sandboxes, but it is highly recommended. There are even exceptions to this exception! Salesforce B2C Commerce cloud will require MFA for sandboxes. In addition, Marketing cloud doesn’t use sandboxes and will require MFA for all orgs even if they are only used for testing. 

However, when Salesforce fully enforces MFA for its products, it will become a permanent part of the product’s login process for all direct logins, removing the option for admins to disable MFA.

MFA and the challenge to run automated SF test

Before the Salesforce MFA enforcement, automated tests that required a login to Salesforce could typically use a username and password. More complicated login scenarios that required an email verification code could be automated by grabbing the code from the email and passing it to the login field. If you are testing in a sandbox exempted from MFA, Testim for Salesforce will continue to support these methods. 

However, multi-factor authentication complicates test automation login scenarios, requiring a more sophisticated approach.

Since Delivering one-time passcodes via email messages, text messages, or phone calls isn’t allowed because these methods are inherently vulnerable to interception, spoofing, and other attacks, your test automation approach will need to support one of the following methods to comply with the MFA security requirements:

  1. Mobile authenticator: You can authenticate with apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm. Many apps are available, including Salesforce Authenticator, Google AuthenticatorTM, Microsoft AuthenticatorTM, and AuthyTM.
  2. Salesforce connected application: If you have a connected app installed in your org, you can manage access to it. Configure permissions and policies for the app, explicitly defining who can use the connected app and from where they can access the app. These permissions and policies, including user access, IP range restrictions, and multi-factor authentication (MFA), provide extra security. This option requires many administration configurations.
  3. Security Keys: These are physical devices that are easy to use because there’s nothing to install and no codes to enter. Security keys are a great solution if mobile devices aren’t an option for your users. Salesforce supports USB, Lightning, and NFC keys that support the WebAuthn or U2F standards, including Yubico’s YubiKeyTM and Google’s TitanTM Security Key.

For applications that plan to support MFA via software (not a security key), selecting a mobile authenticator is the most common and straightforward option and requires minimal administration.

Smooth automatic login using a mobile authenticator

A successful login is a gate to the actual business flow you want to validate. Investing a lot of effort to automate the login to Salesforce means you’ll have less time to spend on the business flow.

One of the major advantages that Testim for Salesforce provides is the ability to select a predefined test step that embeds the login logic. The Testim for Salesforce auto-login step now includes specifying how to handle MFA with a mobile authenticator.

Testim for Salesforce supports an MFA login via a mobile authenticator using the following simple flow:

  1. Administration: First, the user needs to install an authenticator application on their mobile device. The administrator will need to connect the Salesforce user to the authenticator application.

Those steps are required in any case and are relevant to all users that need to log in to Salesforce with MFA supporting mobile authentication.

  1. Testim: Select the auto-login predefined step we provide and indicate you want to use MFA to log in. Provide Testim with your one-time secret key generated in your mobile authenticator app once you register to the app.

Testim then securely saves the secret key in its database, ready to be used later when the login step is executed.

That’s it – you are set! Run your test and smoothly log in to your Salesforce account. 

For more information about Salesforce MFA compliance, please read the following links:

https://security.salesforce.com/mfa