Having gotten in trouble using Heroku, I posted this question on Stackoverflow, which got downvoted and received no answers.
Good thing I was able to answer my own question a few days later!
1 Like
Using an authenticator to access PaaS is a literal insult to a developer.
1 Like
It’s definitely a context switch that disrupts one’s workflow. I would maybe have settled if they were sending the verification codes via SMS for 2FA, but there’s no way I’m installing all kinds of apps!
Under what circumstances are you forced to use their authenticator app?
In my (admittedly limited) experience with Heroku you can either use any TOTP authenticator for the 2FA or generate an API token for automation.
Technically speaking, you’re not forced to use Salesforce’s authenticator app. You are forced to use one of the following:
- A authenticator app for your mobile phone (such as the one by Salesforce, or other third party)
- One-Time Password Generator (also a third-party mobile app)
- Security Key (a physical device)
- Recovery Codes (these only work in combination with the former three, and create confusion by being listed together with them).
The truth is, I never want to bother with this level of security when gaining access to my websites and apps. Hypothetically this could be a good opportunity to invest in a HW security key (which is a solid security mechanism that can be used anytime one needs to log in).
That day, I needed to log in immediately and got delayed because Heroku insisted I do things THEIR way — which is very unintuitive. So, I had to give them the boot.
For what it’s worth, many password managers like KeePass or 1Password can also generate TOTP codes.
1 Like
Will keep that in mind, thanks!
(This was very non-obvious from the Heroku MFA instructions).
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.