Last Updated on June 1, 2022 by Rakesh Gupta
Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a normal user credential and the other of which is typically something memorized, such as a security code. You can enable Two-factor authentication for users by adding Two-Factor Authentication for User Interface Logins permission through a Profile or a Permission Set.
Objectives:
After reading this blog, you’ll be able to:
- Understand what is two-factor authentication
- How to build custom two-factor authentication using Flow
- How to use Flow to send an email
- Set up Login Flow
Business Use Case
Warren Mason is a System Administrator at Gurukul on Cloud (GoC). He received a requirement to implement Two-factor authentication for Partner Community users who are having profile Partner Community User Clone.
What is Two-factor Authentication?
Two Factor Authentication, or 2FA, is an extra layer of protection used to ensure the security of online accounts beyond just a username and password. This process is done to better protect both the user’s credentials and the resources the user can access.
Automation Champion Approach (I-do):
Usually, with Salesforce, multiple approaches are available to solve a business requirement. Choose the ones that are simple, straightforward, and consume fewer resources.
Let us solve this scenario using Flow and Login Flow – as this business case involves adding a second factor of authentication after the username and password verification. Before diving further, let me show you a diagram of a Process Flow at a high level. Please spend a few minutes to go through the following Flow diagram and understand it.
Let’s begin building this automation process.
Guided Practice (We-do):
There are 7 steps to solve Warren’s business requirement using Salesforce Flow. We must:
- Create a formula in the Flow to generate Security Code (We are using Current DateTime to do so)
- Store Security Code in a Variable
- Send Security Code to User via Email
- Allow user to enter Security Code
- Validate the Security Code
- Add a Screen to display a failure message
- Set up a Login Flow
Step 1: Create a Formula
- Click Setup.
- In the Quick Find box, type Flows.
- Select Flows then click on the New Flows.
- Select the Screen Flow option and click on Create.
- Navigate to the Manager tab and click on the New Resource.
- Enter API Name and Description.
- Select Number as Data type and enter the Description.
- Use the following formula
- Value(SUBSTITUTE(LEFT(RIGHT(text( {!$Flow.CurrentDateTime} ),9),8), “:”, “” ))
- Click Done.
Step 2: Store Code (Formula value) in a Variable
- Create a Number Variable to store the security code generated by Flow formula.
- Navigate to the Elements tab and drag-and-drop Assignment element onto the Flow designer.
- Enter Label the API Name will auto-populate.
- Set Variable Values:
- Row 1:
- Variable: {!VarNSecurityCode}
- Operator: Equals
- Value: {!VarNCode}
- Row 1:
- Click Done.
Step 3: Email Security Code
- Create a Text Formula to store the logged-In user email address.
- Navigate to the Elements tab and drag-and-drop Action element onto the Flow designer.
- Select Send Email core action.
- Enter Label the API Name will auto-populate.
- Set Input Values:
- Row 1:
- Body: Here is your security code {!VarNSecurityCode}
- Subject: Security Code – Salesforce
- Email Addresses (comma-separated): {!ForTLoggedInUserEmail}
- Row 1:
- Click Done.
Step 4: Screen to enter the Security Code
- Drag-and-drop Screen element onto the Flow designer.
- Enter Label the API Name will auto-populate.
- On the Screen element, navigate to the Input section and double-click on the Number field, to add it on to the Screen element
- Enter Label the API Name will auto-populate.
- Make sure to select the Require checkbox.
- Click Done.
Step 5: Validate Security Code
- Drag-and-drop Decision element onto the Flow designer.
- Enter Label the API Name will auto-populate.
- On the First Outcome enter the Label the API Name will auto-populate.
- When to Execute Outcome: All Conditions Are Met
- Row 1:
- Resource: {!VarNSecurityCode}
- Operator: Equals
- Value: {!Security_Code}
- Row 1:
- Click Done.
Step 6: Screen to display code Mismatched Error
- Drag-and-drop Screen element onto the Flow designer.
- Enter Label the API Name will auto-populate.
- On the Screen element, navigate to the Display section and double-click on the Display Text field, to add it to the Screen element
- Enter API Name.
- You can now use a Rich-text editor to add content like Text, Image, URL, etc.
- Click Done.
Once you’re done, Save the flow and name it Two Factor Authentication. Do not forget to activate the Flow by clicking on the Activate button.
Step 7: Set up a Login Flow
- Click Setup.
- In the Quick Find box, type Login Flows.
- Select Login Flows then click on the New.
- Select the Type from the drop-down Flow.
- Enter Two-Factor Authentication as a Name.
- The next step is to select Flow, User license, and Profile. Follow the steps as shown in the following screenshot:
- Click Done.
It’s time to test the Login Flow
Now, if a User with profile Partner Community User Clone successfully logged using a username and password, they will see to our Flow to complete the two-factor authentication process
Enter your Security Code onto the screen input field and click on the Next button, as shown in the following screenshot:
If the Security Code is matched then you will redirect to Salesforce (i.e. Partner Community) else it will display an error message.
–> To add a restriction on the number of unsuccessful attempts, you can add one subflow (It will Freeze the user’s account after three or more unsuccessful attempts). Check out the more advanced Login Flow use case here.
Great! You are done! Feel free to modify it based on your business requirement.
Formative Assessment:
I want to hear from you!
What is one thing you learned from this post? How do you envision applying this new knowledge in the real world?
Let me know by Tweeting me at @automationchamp, or find me on LinkedIn.
Can this just be used to invoke a flow from a button? For example i am looking to hide sensitive information such as customer account passwords, this can be accessed by clicking a button and launching the flow above. I have currently set up your flow to do this which is great however i have noticed when i login into salesforce the flow is automatically invoked. How do I stop this or can I stop this?
I don’t understand your question correctly, but launching a flow from the button or quick action is possible. Check out this Trailhead module for more step-by-step guidance.
Hi Rakesh
Security code expiration time is same as salesforce 1 to 24 hours or we can customize the timings in the flow
Unfortunately, the code is valid for the same transaction, as I don’t store it. But if you want to put a time limit, you may want to hold it in SF.
Says formula isnt valid
I just tried, and it worked for me. Feel free to share your formula
Hi
As per this link
https://developer.salesforce.com/index.php?title=Login-Flows&oldid=104051 ,
we have created two factor authentication on our org but it is not working on IE11. It works with all other browsers but not IE11.
Please reach out to Salesforce support as it is browser specific issue
Hi @Rakesh,
Our Two Factor Authentication using login flow is also not working with IE11,So can you please suggest how to resolve this issue?
Please reach out to Salesforce support
BcZ these are browser specific issues
Hi @Rakesh,
Appreciate your quick efforts and response. However, this issue is in my dev org and salesforce does not support developer org related issues. And i mistakenly implemented that login flow for System Admin Profile. Is there any work around to get this fixed. It would be a savior for me.
Thanks
Sorry, there is not a workaround for this that I am aware of.
You can always raise a case from paid org (to unlock your developer org) or reach out to Salesforce support on Twitter.
Hi Rakesh,
I have stuck myself into an issue here. I created the flow and it worked all fine. But when i deactivated the flow , now it does not allow me to login into my dev org and every time it gives me the same error.”No active version of the flow exist. Please contact your System Admin”.
Please help
Thanks
Sorry to hear about it. The one and the only solution are to open a case with Salesforce.com support or reach out to your Salesforce org administrator.
Hi
We are trying to implement this solution but get an error message when looking up a record that is not created yet.
Did you encounter the same error? If so, how did you solve it?
Thanks
You have to create the record first the use record Lookup
Hi Rakesh Is there any way to send Random Number to mobile Instead Of Mail with out using third party vendor Software like Yubiko GIILO
Yes using third party tools as you mentioned above.
Hi Rakesh,
When I implemented the above flow in my sandbox Org, its working. But when the flow steps completed, it redirect to home page and an error message “Invalid Page redirection” is showing. Could you please help me to solve this issue?
If you are using “LoginFlow_FinishLocation” attribute to set the Finish location, then make sure that you have entered the correct URL