The purpose of this article is to explain what Multi Factor Authentication (MFA) is and how it benefits the Dealership as added security 


By March 2024 the Multi Factor Authentication (MFA) will become mandatory for all Blackpurl user logins


We would suggest that this is a good time for you to discuss with your IT which Authenticator is best for your Dealership and get their assistance if required



What is Multi Factor Authentication (MFA) and what is it used for


The simple way to think of it is as additional protection that helps stop all sorts of malicious attackers from getting into systems

To do that, MFA makes you prove that you are who you say you are in more ways than one


Typically, the first proof is by providing the correct username and password


After that, you will be prompted to supply a second type of proof that is different than the first (ie not just another saved password - after all, if your first password was compromised, your second one might have been too!)


That second proof can be a scanned fingerprint or a time-sensitive code to type in or even a physical device you plug into your computer like a key.  Each of these different forms of proof are a factor, which is why this security feature is called MFA


You may have heard of two-factor authentication (2FA) and are wondering if that’s different than MFA - understandably, a lot of people confuse the two:


  • 2FA is simply - two forms of proof


  • MFA is - two or more forms of proof


MFA tends to be a bit stricter about what counts as a different form of proof.  A code texted to you after you’ve supplied a username and password is one of the most typical ways to handle 2FA, but a lot of MFA implementations doesn’t consider text messages secure enough to count as a valid second form of proof. That’s why you won’t see text messages mentioned anywhere else in this document


In essence, MFA is the cyber-security version of two pieces of ID please



Why do we need MFA in Blackpurl


Salesforce, which is the platform that Blackpurl operates on, is now mandating that everyone who logs into a Salesforce organization MUST use multi factor authentication


This mandate will lead to Salesforce auto-enabling MFA for users with full enforcement to be fully rolled out from from February 2024


We need to make sure we have full MFA support in Blackpurl before then, especially since this can be quite a different experience for some users.  We don’t want them feeling backed into a corner or surprised at the last moment


Additionally, MFA is a great feature to have and there’s a good reason why all sorts of business, including Salesforce, are mandating it


MFA keeps customer data safe and that’s something we all definitely want


For our USA Dealerships, we also need to comply with the rules issued by the Federal Trade Commission (FTC) on protecting customer information


Further information can be sort from this link - FTC


What is important to note, as it says on the FTC page, is that Financial Institutions applies to a much broader group of companies than many would think


For us, that means that if a dealer does anything at all around allowing a customer to finance a sale, even if the dealer isn’t actually providing the financing (or lease a unit) then they are considered to be a Financial Institution under the definition


You can see on the list of obligations under Safeguard, MFA is listed


For the size exception to the Safeguard (under 5K customers) you can see that many of the requirements still apply (including MFA)  This means that even our smaller dealerships are subject to them


Really though, this is just another reason why we deem MFA a mandatory feature – even if FTC Safeguards does not directly apply to your dealership (ie non USA or cash only), it just reinforces yet again how risky it is to operate your business without a foundational security precaution


That is why more and more software providers require it (ie SalesForce) to prevent data breaches and to limit the inevitable legal liability if a breach does occur

 


Enabling MFA for a user in Blackpurl


Before you start enabling MFA at your Dealership, please have your authenticator setup and ready to go


Dealerships now have the ability to start enabling MFA for your users from System Settings > Users 



There is a banner that will indicate that MFA is now available on your system but at the moment you still have the option of enabling or disabling per user


However there will come a time where the option will be removed due to the full enforcement being rolled out by our platform provider - SalesForce




To enable MFA for one of your users simply select the pencil icon to access the Edit licensed user screen and move the toggle from NO to YES 

Don't forget to




Which Authenticator to use


We would suggest that your Dealership (or your IT) have your selected Authenticator organised prior to switching on the MFA in Blackpurl 


Your Dealership can use any of the authentication methods that are supported by your Salesforce products MFA functionality and whilst we do not recommend any particular Authenticator, these are a few that the Dealership (or your IT) can select from:


  • Salesforce Authenticator mobile app (available on the App Store or Google Play)


  • Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator or Authy (which can be downloaded on your mobile device or onto your desktop)


  • Security keys that support WebAuthn or U2F, such as Ybico's Yubikey or Googles Titan Security Key


  • Built-in authenticators such as Touch IF, Face ID or Windows Hello



Keep in mind that Blackpurl will be unable to support and/or assist with your setup and /or any issues with the Authenticator that your Dealership elects to use


If the Dealership is running into issues with the Authenticator then they will need to contact their IT




Salesforce Authenticator App


If you wish to use the Salesforce Authenticator App as your method of authentication the instructions below describe the user experience, please pass this information to your IT person:


Regular login screen:


Next the user will be prompted about the Salesforce Authenticator:




If the user has a smart device (phone or tablet) that they’re allowed to use at work, they can follow the instructions here to install the Salesforce Authenticator App.  This is going to provide the most hassle-free experience for the user.


After installing the Salesforce Authenticator App, it should look like this:



After selecting "Add an Account"



Type the two word code from the app into the login screen (or use the Scan QR Code option by hitting “Choose Another Verification Method” at the bottom of the login screen):



After hitting connect, in the app, you should see something like this:



For all future logins now, after the user provides their username and password, they’ll get prompted with:



The notification they will receive on their  device from the Salesforce Authenticator App and, tapping on it, they’ll see something like:


After a couple of approvals from the same location, assuming the Authenticator has been given the permission to see the user’s location, it will prompt the user with the “Always approve from this location” action


If the user toggles that on and hits ‘Approve’ one last time, the Authenticator will now auto-approve any login the user makes as long as they have they have the device with their Authenticator with them and they are at the location in question



Google Authenticator App


If you wish to use the Google Authenticator App as your method of authentication the instructions below describe the user experience, please pass this information to your IT person:


If you have SalesForce has auto enabled the SalesForce Authenticator but you wish to use the Google Authenticator App, please ask BP Support to disconnect the SalesForce Authenticator 

Please note that we will not be turning off MFA - all we are doing is disconnecting the SalesForce Authenticator for you to setup the Google Authenticator App


Then the next time you log into Blackpurl, click on 




User selects ‘Use verification code from an authenticator app’ and clicks on the ‘Continue’ button



It opens a new screen to connect to the authenticator app and displays a QR code that User needs to scan from the mobile device using an authenticator app (Example - Google authenticator)



Now, on mobile device User needs to go to the Google authenticator app and click on the ‘+’ icon to add a new account where he will see an option to scan the QR code 


   


User clicks on ‘Scan a QR code’ that adds the account in the authenticator app 

An authentication code is displayed which is used when the User tries to login to Salesforce again

After successful verification of the code, User is logged in to Salesforce account



Using the Security Keys Method


Once MFA is enabled, on the next login this is the screen that should pop up for you to click on - Choose Another Verification Method

image.png

You will them be prompted with the following screen and you will need to select - Use a Universal Second factor (U2F) or WebAuthn (FIDO2) key


image.png
Insert the Security Key and click  to finish the process


image.png
Once you click the Security Key will be verified as the MFA method on the account

 All the users will need to insert the Security Key when they go to login to their account on future logins