Salesforce.com has been caught with its pants down after phishers persuaded an employee to hand over customer contact details. In a letter to customers yesterday the, er, customer relationship management (CRM) software vendor admitted that it had been hit by a number of dodgy phishing and malware attacks. Salesforce said that …
Velly populah in chinah.. we likey velly much all your base is belong to us :)
Salesforce.com makes 2FA security a Catch-22 choice for SMEs
The Salesforce.com phishing incident should not come as a surprise to anyone. The growing popularity of the SaaS model means that providers like Salesforce.com, NetSuite and Oracle are managing increasingly sensitive business applications and data for more and more high profile customers. It's too big a honeypot for the Internet Underworld to ignore.
It's really positive that Salesforce.com are now recommending the use of two-factor authentication (2FA) to secure the login to their service, but there is one major flaw: to replace their basic password with a 2FA process you need to enable their 'Single Sign-On (SSO) function. Unfortunately this SSO function is limited in the Salesforce.com Professional Edition - the SME version which is used by the vast proportion of their customer base.
For these customers, SSO is a 'global setting' so it is either 'on' or 'off' for all users. This means that if 2FA tokens are to be deployed - they have to be issued to every single Salesforce.com user; which can be simply too costly.
So for all Pro Edition customers, in order to follow Salesforce.com's security advice, they have an costly Catch-22 choice: either upgrade to the more expensive Enterprise Edition or give everyone 2FA whether they need it or not.
It's a fallacy that only big companies use 2FA, we have hundreds of customers of all sizes using our fully managed two-factor Secure Authentication Service, some with just a handful of users.
It is frustrating that our customers cannot extend the use of their tokens to secure their Salesforce.com accounts too. If Salesforce.com were to make SSO a 'per user' setting on Pro Edition, this would show that they are committed to helping all customers improve their security.
Signify - The Secure Authentication Service
- Vid Hubble 'scope scans 200,000-ton CHUNKY CRUMBLE ENIGMA
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad