Salesforce is taking security on its platform more seriously than ever, with a number of upgrades to its existing two-factor authentication on the horizon, a senior security director told Salesforce 2013 Dreamforce delegates today.
Speaking at the San Francisco event, senior director of product management for security Eric Leach said that though Salesforce had already “built two-factor authentication and a higher assurance type of session into the Salesforce platform”, more was to be expected to keep customers’ peace of mind as online threats escalate.
Using technology from mobile security firm Telesign that currently controls authentication through a variety of measures, including voice calls, SMS and soft token or push-based activity in apps, Leach said Salesforce believes SMS authentication is still on a par with app-based authentication APIs.
“The most important [thing] is you’re moving something from one channel to something else,” said Leach.
“I think there’s differences and advantages between them. With SMS you’re getting something delivered to a phone that’s been verified and owned by somebody. With a mobile authenticator you can generate a token and [still] verify, [even] if the phone happens to be offline.”
But either way, Leach and Telesign believe that standardisation and consolidation is the way to strengthen all security measures.
“These things are based on APIs and things that are becoming standard,” said Leach.
“At some point, we anticipate that we’ll be able to use Google Authenticator with this. It’s essentially the same app with no functional difference between them – it wouldn’t make sense to have about 20 authenticator apps on your phone.
As more people adopt, we should see some of that consolidation happen.”
Beyond this, Leach offered a glimpse of where Salesforce will be taking authentication next year, as it begins to take better advantage of the offerings of big data, and location-based information afforded by mobile devices through Salesforce1.
“It could be based on where you came from last time and where you are now etc.” said Leach.
“So we are working on some stuff around that. We collect a lot of information on the platform today, including where people have logged in, what IP address they use, how many times they’ve logged in etc. so we’ve stated pulling that out and in the spring 2014 release, we will have the capability to expose those logs to you. On top, we’re building some transaction security policies, which defined events – policies defined as actions such as ‘block’, notifying that it’s kicking you out into a workflow.”
They can be very descriptive and specific, and can also consume data from the platform, but also third party sources. So there’s a lot of data we can integrate into this policy framework that will help us do that kind of adaptive authentication.”