These instructions provide a quick overview of the steps you, the Salesforce Administrator, need to take to set up U2F YubiKeys to work with Salesforce within your organization. This guide is intended for IT administrators.
- YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO, FIDO U2F Security Key
- Salesforce Winter 2017 Release
- Google Chrome (version 40 or later on ChromeOS, Microsoft Windows, Mac OSX or macOS, or Linux)
Overview of Steps to be Performed
- Setting up My Domain
- Creating a permission set and enabling two-factor authentication
- Allowing U2F tokens
- Testing before you deploy to your users
Setting up My Domain
As a security precaution against transport level attacks, the FIDO U2F protocol declares domain name specificity rules that must be followed for a proper
U2F security token implementation. For that reason, you will need to set up a Salesforce My Domain
within your Salesforce environment to
utilize U2F security keys. A My Domain
gives you a Salesforce subdomain such as:
If you do not have My Domain
set up, review the Salesforce documentation
before you continue.
Creating a Permission Set and Enabling Two-Factor Authentication
A Permission Set, which defines a number of settings and permissions for a user, will be used to allow Two Factor authentication to a large set of users.
While it is possible to instead attach these two-factor authentication rulesets to a user’s Profile
settings, a Permission Set
will provide much more administration flexibility as a user may have multiple permission sets.
- Type “Permission Sets” into the Quick Find text box and click Permission Sets.
- Click New to create a new Permission Set.
- Name your Permission Set in the Label and API Name fields.
- If desired, provide a description for the Permission Set.
- Click Save.
- In the Permission Set Overview page, under the System subcategory, click System Permissions.
- To edit these options, click Edit near the top of the page.
- Locate and select the following checkbox:
- Two-Factor Authentication for User Interface Logins
- When you have selected the checkbox, scroll back to the top of the page and click Save.
- To assign the Permission Set to a set of users click Manage Assignments.
- Select Add Assignments.
- Assign the permission set by selecting a particular user, or use the Create New View tool to assist you in selecting a large group.
Allowing U2F Tokens
The Session Settings
must be configured to allow U2F Security Keys to be used for two-factor authentication.
- Type “Session Settings” In the Quick Find search bar and then click Session Settings.
- If My Domain has been set up and deployed properly a checkbox for Let users use a security key (U2F) will be
available. Check this box.
- Scroll further down the page to the Session Security Levels subcategory.
- Ensure Two Factor Authentication is listed under High Assurance.
- Click Save to finalize your settings.
Testing Before Your Deploy to Your Users
To confirm proper setup, be sure to test with several users who have been attached to the Permission Set rulesets that you previously configured in this how-to guide.
- Ask your test user(s) to log in to Salesforce.
- After the user has entered his username and password, he is asked to confirm his identity. TIP: To ensure successful adoption of U2F, we recommend that you reduce the number of options your users can use to verify their identity
- If the user chose Use a Universal Second Factor (U2F) key, he is asked to register a security key (YubiKey).
- The user should finish the self-registration process.
That’s it! From now on, when your user logs in to Salesforce, he then uses the YubiKey to verify his identity.
Once you have verified that your testers have successfully logged in to Salesforce using their YubiKeys, then you can attach the Permission Set rulesets to
all users for whom you have provided YubiKeys.