arrow - Fotolia
Replacing traditional logins with a more secure system based on QR codes that are used just once may not completely inoculate an organization against hacks such as the WannaCry ransomware Trojan. All the same, these hacks probably have Salesforce admins thinking about better ways to shore up security and get people away from using easy-to-guess passwords.
For the University of Advancing Technologies, a private college in Tempe, Ariz., replacing traditional login requirements with a passwordless authentication system not only added a layer of security, but also eased the migration of about 40 users off of a proprietary CRM system and onto Salesforce. And it's an important tool: In UAT's Salesforce resides a network of contacts that includes high schools, alumni, students, students' parents, business partners and prospective employers for graduates.
"Logging in to Salesforce is kind of a pain," said UAT President Jason Pistillo. "My users forget their accounts all the time, or lock themselves out." The passwordless login, he added, so far has been "a delight," and has reduced login-related help desk tickets.
UAT uses Trusona's platform, which replaces passwords with an identity authentication system in a mobile phone app. The system captures a code that appears on the user's desktop monitor and logs them in when the phone confirms the person's identity.
QR codes linked to phones
Trusona (a portmanteau of true and persona) recently integrated its passwordless login scheme to Salesforce. The company has varying levels of other passwordless login software -- the highest level including passport validation -- already serving financial, government and other vertical industries. Pricing is free for 14 days as a demo, and $10 per user, per year for those who decide to continue with the service.
While it replaces passwords with QR codes, Trusona for Salesforce requires a phone with enough battery charge to open the app and validate an identity. When that second device isn't available, the old method of login with a password is still available.
"Static username and password should only be a backup, and not what you use all the time," said Trusona founder Ori Eisen, who previously led the global fraud detection team at American Express. "The main risk is that, if you have malware on your phone or PC and it gets leaked, your entire pipeline could be falling into the wrong hands."
A large corporate customer engaged Trusona to create the QR code login system, Eisen said, and the company decided to generalize that implementation as a service to sell to Salesforce customers large and small. UAT signed up as an early adopter to reduce barriers to employee adoption of Salesforce's more sophisticated workflow tools -- compared with the previous CRM's tools -- and it was important to Pistillo and his team to add another layer of security.
"The thing about logging in is that we constantly think about it in terms of security; how secure is it?" Pistillo said. "The piece that people miss is the user experience … it is a big part of authenticating and logging in to something that [IT implementers] skip over and don't think about."
UAT has seen enough success and user adoption with its Salesforce implementation of passwordless login that it plans to roll it out to other systems, including learning management and Office 365 systems used by students.
Salesforce itself uses a different approach to password-free logins through the Salesforce Authenticator mobile app, which uses a fingerprint or PIN. Single sign-on external identity providers can also integrate with Salesforce, which can lead to better user adoption of an organization's network of CRM tools, according to the company.
Choosing the right password-free system
If your organization is considering passwordless login systems, Pistillo offers the following pointers for choosing the one that's right for you.
- Find one that's simple to set up. In UAT's case, Trusona took only a few minutes to implement.
- Choose a technology that's easy to use. Don't forget the user experience piece of securing your Salesforce setup -- that is, if you want to get buy-in from end users.
- Don't assume you're immune to hacks. Remain vigilant. Pistillo pointed out that the WannaCry Trojan is a vulnerability stemming from compromised servers, and Eisen reminded us that social engineering hacks and con games bypass software altogether and rely on human defenses.
Learn about single sign-on
privileged identity management better than static logins
Create better passwords to foil hackers