In 2012, Mat Honan from Wired, detailed his horrible experience of being personally hacked. The hackers were able to leverage security flaws in Amazon and Apple to get into his Gmail account, and eventually, take over his coveted, three-letter Twitter handle of @mat. This could have, however, been thwarted if he had configured two factor authentication for Google. Google provides this as a free feature, pairing the web authentication functionality with either SMS or its free Google Authenticator mobile application (Android, iOS). In Winter 2014, Salesforce enabled two factor authentication for no additional cost. In addition to supporting the free Google Authenticator application, it also provides its own mobile applications (Android, iOS) and supports third-party services. Details can be found here. Enabling two factor authentication can be done in less than five minutes. Here are the steps:
First, create a permission set with the two factor authentication setting
Next, assign user(s) to the permission set
Finally, when the user logs back in, they will be presented with a QR code and links for the mobile applications. After installing the mobile application, the user simply scans the QR code. Whenever the user needs to log in, they enter their username/password (as they always have) followed by entering the verification code from their mobile application:
Here is a screenshot of the Android version of the Google Authenticator:
If the user loses, upgrades, or changes phones, you will need to reset their Auth token. There is a link on the user detail page to reset the Time-Based Token. This will generate a new QR code for the user at login.
If you are looking to provide additional security for your Salesforce org, consider adding two factor authentication. Time and complexity to configure for your users should not be an issue!