Best Methods for Securing API Access Between External Systems, 2FA, Oath2, Etc

Right now I used 2 factor authentication to get into my google mail. I use 2FA to get into my salesforce instance.

I see you use various login providers but it doesn’t look like Salesforce is one of them.

Basically I need my Backendless and Salesforce instances to talk to each other in a secure manner to share confidential information. It would also be nice if employees could have fewer systems to log into if they shared information.

Do you have any recommendations for how to accomplish this goal? I don’t want to have to worry about my connection between Backendless and Salesforce from stopping due to needing to login or something. It would be nice if I could limit access to the Backendless database for admins to people who had gone through 2FA at some point.

Does anybody have recommendations for which third party login providers to use? Is google good for this purpose since I use it already for gmail? Am I barking up the wrong tree?

How about using Zapier or Make(Integrated) to accomplish the integration?

Hi Mark, yes I have Zapier and it works well for certain things. The thing that worries me is how they map fields from salesforce to backendless. It is a very manual process and they don’t keep archives of prior versions to revert. I just don’t want to mismap some data sometime because of the manual intervention in the future when I add a a column or something.

In Salesforce, I have the ability to create and instant trigger that sends data to Zapier. And I think you guys could just as soon take that same data as well. I think I would prefer to just have Backendless take the raw data and then I can define mappings in a table somewhere in Backendless that doesn’t require so much maintenance.

It looked at Integromat (Make) and it doesn’t seem like they have a way to freeze the mapping either.

I foresee using Salesforce as my internal system and master data store but potentially using Backendless as the client experience. Obviously I need to keep the data between Salesforce and Backendless synced and I don’t want something that I can break easily.

Zapier does have a trigger event called “Catch Raw Hook” that doesn’t parse anything. Perhaps another option would be to pass that to Backendless somehow and just use Zapier…not sure.

Without Zapier, you’d need to figure out how to channel the data from Salesforce into Backendles. This will require custom programming (Codeless or otherwise).

With Zapier, the problem with “mismapping” would have to be managed by a QA process. Whenever a change is made, you’d need to make sure it properly works before applying it to a production environment.

Regards,
Mark

Is there any way to implement two factor authentication to access the application as the developer or is setting a password the only means of securing access? This is actually more important than being able to set it up for end users, especially when dealing with sensitive client data.

Hello @Ryan_Belisle

Did you read this article about 2FA?

Regards, Dima.

Hi Dima, thanks but I think that is within each app itself, no? I am talking about securing with 2FA my login ability as the developer to the screens where I can do things like delete the applications, management multiple apps I may have, and do other malicious things. Here is the screenshot where you set up your password. Can you setup 2FA to login to this account as the owner as well?

Unfortunately, we don’t support 2FA for Developer Console.

Okay, while I don’t think it is a deal breaker for me I think beefing up the security on the developer console is REALLY important to have on your roadmap. You guys have a good product but some bigger companies with a lot of customer data to protect won’t even give you guys a second look without some of these basic security features. I have also noticed the developer console doesn’t make me periodically re-authenticate and I can just go in every time without logging in.

It would be good idea for anyone using a shared computer or something to LOG OUT…and make sure the email address you use for a password reset is secure…and make sure you use a really long password that can’t be cracked easily by a brute force attack.

I hate logging in too and it is much easier to just open everything up…but it is a necessary evil for some to have this level of security.