This article applies to:
These instructions provide a quick overview of the steps you, the Salesforce Administrator, need to take to set up U2F YubiKeys to work with Salesforce within your organization. This guide is intended for IT administrators.
- YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, FIDO U2F Security Key
- Salesforce Winter 2017 Release
- Google Chrome (version 40 or later on ChromeOS, Microsoft Windows, Mac OSX or macOS, or Linux)
Overview of Steps to be Performed
- Setting up My Domain
- Creating a permission set and enabling two-factor authentication
- Allowing U2F tokens
- Testing before you deploy to your users
Setting up My DomainAs a security precaution against transport level attacks, the FIDO U2F protocol declares domain name specificity rules that must be followed for a proper U2F security token implementation. For that reason, you will need to set up a Salesforce My Domain within your Salesforce environment to utilize U2F security keys. A My Domain gives you a Salesforce subdomain such as: https://JohnCompany.my.salesforce.com If you do not have My Domain set up, review the Salesforce documentation before you continue.
Creating a Permission Set and Enabling Two-Factor AuthenticationA Permission Set, which defines a number of settings and permissions for a user, will be used to allow Two Factor authentication to a large set of users. While it is possible to instead attach these two-factor authentication rulesets to a user’s Profile settings, a Permission Set will provide much more administration flexibility as a user may have multiple permission sets. To begin:
- Type “Permission Sets” into the Quick Find text box and click Permission Sets.
- Click New to create a new Permission Set.
- Name your Permission Set in the Label and API Name fields.
- If desired, provide a description for the Permission Set.
- Click Save.
- In the Permission Set Overview page, under the System subcategory, click System Permissions.
- To edit these options, click Edit near the top of the page.
- Locate and select the following checkbox:
- Two-Factor Authentication for User Interface Logins
- When you have selected the checkbox, scroll back to the top of the page and click Save.
- To assign the Permission Set to a set of users click Manage Assignments.
- Select Add Assignments.
- Assign the permission set by selecting a particular user, or use the Create New View tool to assist you in selecting a large group.
Allowing U2F TokensThe Session Settings must be configured to allow U2F Security Keys to be used for two-factor authentication. To begin:
- Type “Session Settings” In the Quick Find search bar and then click Session Settings.
- If My Domain has been set up and deployed properly a checkbox for Let users use a security key (U2F) will be available. Check this box.
- Scroll further down the page to the Session Security Levels subcategory.
- Ensure Two Factor Authentication is listed under High Assurance.
- Click Save to finalize your settings.
Testing Before Your Deploy to Your UsersTo confirm proper setup, be sure to test with several users who have been attached to the Permission Set rulesets that you previously configured in this how-to guide. To begin:
- Ask your test user(s) to log in to Salesforce.
- After the user has entered his username and password, he is asked to confirm his identity. TIP: To ensure successful adoption of U2F, we recommend that you reduce the number of options your users can use to verify their identity
- If the user chose Use a Universal Second Factor (U2F) key, he is asked to register a security key (YubiKey).
- The user should finish the self-registration process.