dott

Salesforce Phishing-Resistant MFA (PR-MFA) – Part 3

Table of Contents

Practical Implementation for SMBs & Shared Administrator Accounts


Real-World Challenge for SMB Organizations

Most Salesforce documentation assumes every administrator has their own dedicated Salesforce user.

In reality, many Small and Medium Businesses (SMBs) operate differently.

Typical reasons include:

  • Limited Salesforce administrator licenses
  • External implementation partners
  • Managed service providers
  • Business owners who occasionally administer Salesforce
  • Cost optimization

A common setup looks like this:

System Administrator > Business Owner > Internal IT > Salesforce Partner > Support Consultant

Everyone uses the same administrator account when administrative work is required.

This approach has existed for years in many organizations.

The introduction of PR-MFA doesn’t necessarily prevent this model, but it does require organizations to rethink how authentication is managed.


Challenge 1 – Multiple Devices

Consider this scenario.

The same administrator works from:

  • Office desktop
  • Company laptop
  • Home computer
  • Mobile phone

Good news

This scenario is generally straightforward.

Salesforce allows multiple phishing-resistant authentication methods to be registered for the same user.

For example:

Admin User > Windows Hello (Office) > Windows Hello (Laptop) > Face ID (iPhone) > Backup Security Key

This is actually considered a good operational practice because it provides resilience if one device becomes unavailable.

Perigeon Recommendation

For administrators who regularly work across multiple devices:

  • Register a passkey on each trusted device.
  • Register a backup FIDO2 security key.
  • Remove passkeys from retired or replaced devices.

Challenge 2 – One Administrator Shared by Multiple People

This is the question we receive most frequently.

Example:

System Administrator > Business Owner > IT Manager > Salesforce Partner > Support Engineer

Because there is only one administrator license.

Many SMB organizations are asking:

“How do we continue working without purchasing additional administrator licenses?”


Does Salesforce Prevent This?

Not necessarily.

PR-MFA focuses on how privileged users authenticate, not on Salesforce licensing.

However, organizations should ensure that whatever operational model they adopt aligns with their own security, audit, and compliance requirements.


Perigeon Practical Recommendation

The following recommendations are intended for organizations that:

  • Understand the implications of sharing administrator credentials.
  • Have documented internal approval for this operational model.
  • Are seeking a practical approach while working within licensing constraints.

These recommendations are not official Salesforce guidance.


Option 1 – Use an Enterprise Password Manager Supporting Passkeys

This is our preferred approach for many SMB customers.

Several enterprise password managers now support FIDO2/WebAuthn passkeys.

Examples include:

  • 1Password
  • Bitwarden
  • Keeper
  • Dashlane

Instead of registering separate passkeys on every device manually, the administrator passkey can be securely stored in a managed vault and synchronized to approved users and devices, subject to the capabilities of the chosen password manager and your organization’s policies.

Benefits

  • Simplifies passkey management.
  • Easier laptop replacement.
  • Centralized recovery.
  • Secure synchronization.
  • No physical key distribution.

Considerations

Before adopting this model:

  • Verify that your password manager supports shared passkeys under your licensing plan.
  • Enable audit logging where available.
  • Restrict vault access to only authorized personnel.
  • Periodically review vault membership.

Option 2 – Register Multiple Trusted Devices

If the administrator account is primarily used by the same individual, simply register multiple trusted devices.

Example:

Admin User > Desktop > Laptop > MacBook > iPhone > Backup Security Key

This avoids dependency on a single device.


Option 3 – Maintain a Recovery Device

Business continuity is often overlooked.

Imagine:

  • Laptop fails.
  • Mobile phone is lost.
  • Administrator is travelling.

Without a recovery method, access may be delayed.

We recommend maintaining:

  • One FIDO2 Security Key stored securely.
  • One documented recovery procedure.
  • One alternate trusted device.

Challenge 3 – External Salesforce Partners

Many organizations provide administrator access to:

  • Salesforce consulting partners
  • Managed service providers
  • Offshore development teams

If a shared administrator account continues to be used:

Consider:

  • How will the partner authenticate?
  • Who manages passkeys?
  • What happens when the project ends?

Perigeon Recommendation

If licensing allows:

Create a dedicated administrator account for the implementation partner.

If not:

Use an enterprise password manager with:

  • Role-based access
  • Audit logging
  • Time-limited vault access
  • Documented offboarding procedures

Challenge 4 – Device Replacement

This is one of the most common support requests.

Example:

Old Laptop > Windows Hello Passkey > Laptop Replacement

Recommended process:

  1. Login using another registered authentication method.
  2. Register the new device.
  3. Remove the old device.
  4. Validate login.
  5. Update internal documentation.

Challenge 5 – Employee Leaves the Organization

If an administrator leaves:

Immediately:

  • Remove password manager access.
  • Rotate shared credentials if applicable.
  • Remove registered passkeys associated with their devices.
  • Review trusted devices.
  • Validate remaining recovery methods.

Choosing the Right Authentication Model

Scenario Recommended Approach
One administrator, multiple devices Register passkeys on all trusted devices.
Shared administrator account Enterprise password manager with passkey support (subject to policy).
High-security environment FIDO2 security keys.
Frequent device replacement Password manager or multiple registered passkeys.
Managed service provider Dedicated admin account where possible, otherwise controlled shared vault access.

Password Managers Supporting Passkeys

Product Passkey Support Enterprise Sharing Suitable for SMB
1Password ⭐⭐⭐⭐⭐
Bitwarden ⭐⭐⭐⭐⭐
Keeper ⭐⭐⭐⭐
Dashlane ⭐⭐⭐⭐

Note: Features vary by edition and subscription. Always verify the capabilities of your chosen product before relying on it for shared passkey management.


Perigeon’s Perspective

Salesforce’s objective is to strengthen authentication for privileged users through phishing-resistant methods. Every organization, however, has its own operating model.

For many SMB customers, immediately purchasing additional administrator licenses may not be practical. In these cases, organizations should evaluate solutions that maintain operational continuity while aligning with their own security policies.

Perigeon recommends assessing:

  • The number of privileged users.
  • How administrator accounts are currently used.
  • Whether passkeys can be managed through an enterprise password manager.
  • Recovery procedures for lost or replaced devices.
  • Periodic reviews of who has access to shared authentication resources.

There is no single approach that fits every organization. The right solution should balance security, operational efficiency, licensing constraints, and business continuity.

 

Book a Consultation

Let’s discuss how we can make your project a success.

    By submitting this form, you acknowledge and accept Perigeon’s privacy policy.

    Let’s Create Impact Through Innovation.

    Partner with Perigeon Software to turn bold ideas into scalable digital solutions.