Customer Trust is our highest priority at Salesforce and Heroku. It’s more important than ever to implement stronger security measures in light of increasing security threats that could affect services and apps that are critical to businesses and communities.
We’re pleased to announce that all Heroku customers can now take advantage of the security offered by Multi-Factor Authentication (MFA). We encourage you to check out these new MFA features and add another layer of protection to your account by enabling MFA.
As we announced in February 2021, all Salesforce customers are required to enable MFA starting Feb 1, 2022. There’s no reason to wait – it takes a couple of simple steps to enable MFA when prompted on your next login or from your Account Settings.
You may be already familiar with Heroku 2FA using TOTP based code generator apps. Like 2FA, MFA requires an additional verification method after you enter your password. To meet your needs, we support several types of strong verification methods.
You can take advantage of push notifications and automatic verification from trusted locations for fast, frictionless MFA using Salesforce Authenticator as a verification method. You can also use WebAuthn security keys and on-device biometrics as verification methods. TOTP based code generator apps are also available. You don’t even need to limit yourself to just one type of verification method – use recovery codes or additional verification methods to always have a backup.
We are no longer offering SMS as a verification method for MFA due to Security risks associated with the use of SMS. If you had enabled Heroku 2FA in the past using a code generator app, you don’t need to take any further action to enable MFA. Your code generator app and any recovery codes will continue to work as MFA verification methods. Previously configured 2FA backup phone numbers will be usable for a limited time.
Check out Dev Center for additional details about MFA.
As part of our ongoing security improvements, we are changing how long users can stay logged in on the Heroku Dashboard. Starting in April 2021, all users that are not using SSO will be required to log in every 12 hours.
As always, SSO enabled users need to log in through their identity provider every 8 hours.
Keep an eye on this space for more news in the coming months as we make it easier to use MFA for your teams and continue to make other improvements.
As always, we’d love to hear from you.