How to Send Custom SMS MFA in Experience Cloud With Marketing Cloud Integration

Salesforce provides a default SMS delivery service for identity verification use cases, such as multi-factor authentication (MFA) in Experience Cloud sites. When enabled, users can verify their identity via SMS using their registered phone numbers, with Salesforce managing OTP delivery, message content, and short code.

However, organizations looking for greater flexibility can switch to a custom OTP provider, allowing them to personalize message content and align the sender identity with their brand’s digital marketing strategy. While this approach enhances branding and user experience, it requires proper implementation to ensure seamless functionality.

Using a custom OTP provider introduces important security considerations. Unlike the default provider, where Salesforce handles OTP security, a custom implementation exposes the OTP to Apex code, placing the responsibility for security and integrity on the organization.

Additionally, Salesforce does not verify phone numbers when sending OTPs via a custom provider, which can create potential vulnerabilities. To mitigate risks, it is recommended to verify all phone numbers before sending OTPs and implement safeguards to prevent unauthorized access.

Organizations can leverage Salesforce Marketing Cloud (SFMC) MobileConnect to send custom OTP messages securely, ensuring compliance with security best practices while providing a seamless authentication experience for external users.

Using MobileConnect to Send OTP Messages

To provide branded, personalized identity verification experiences for external users, create an Apex handler to send one-time passwords (OTPs) via Salesforce Marketing Cloud (SFMC) SMS. Customize the content of the message and the short code that tells users who sent it. Use the handler to send OTPs for any Experience Cloud identity verification use case, such as multi-factor authentication (MFA).

Integrating Salesforce Marketing Cloud (SFMC) with Experience Cloud SMS Multi-Factor Authentication (MFA) messaging through MobileConnect requires leveraging Salesforce’s APIs, configuration settings, MobileConnect capabilities, and Experience Cloud’s one-time password delivery handler Apex class. Below is a high-level guide on how to achieve this.

Prerequisites

• Salesforce Marketing Cloud with MobileConnect enabled.
• Salesforce Experience Cloud (formerly Community Cloud).
• Administrator credentials for both Marketing Cloud and Experience Cloud.

Steps for Integration

Step 1: Configure MobileConnect in Marketing Cloud

• Provision MobileConnect.
  • Ensure your Salesforce Marketing Cloud account has MobileConnect provisioned and configured. If not, contact Salesforce support to activate it.
• Set up SMS messaging.
  • Navigate to MobileConnect in SFMC.
  • Configure short codes or long codes for the regions where your users will receive SMS.
• Create a messaging template.
  • Navigate to Mobile Studio → MobileConnect → Create Message.
  • Create a keyword for authentication-related messages.
  • Go to Setup → Installed Package → Create PORTAL MFA SMS API.
  • In MobileConnect, create and activate the portalMfa message template.
  • MobileConnect → Administration → Add EXPERIENCE_CLOUD keyword to the messaging template.

Step 2: Setup Named/External Credentials in Salesforce

• Set up Named/External Credential.
  • Create Named Credential and External Credential using the PORTAL MFA SMS API installed package from Marketing Cloud.

• Create Permission Set for External Credentials.
  • Create a Permission Set (e.g. Marketing_Cloud_SMS_API).
  • Ensure it has access to the External Credential.

• Assign Permission Set to Platform Integration User.
  • Execute the following script in Developer Console:

Id intUserId = [SELECT Id FROM User WHERE Name LIKE '%Integration%' AND Username LIKE '%autoproc%' LIMIT 1].Id;
Id persetId = [SELECT Id FROM PermissionSet WHERE Name = 'Marketing_Cloud_SMS_API' LIMIT 1].Id;
PermissionSetAssignment psa = new PermissionSetAssignment();
psa.AssigneeId = intUserId;
psa.PermissionSetid = persetId;
insert psa;

• Ensure the Named Credential has appropriate API Keys.
  • Navigate to Setup → Security → Named Credentials.
  • Update client_id and client_secret values under Marketing Cloud SMS MFA API.

• Ensure the External Credential has appropriate API Keys.
  • Navigate to Setup → Security → Named Credentials → External Credentials.
  • Select Marketing Cloud SMS API and update Client ID and Client Secret.

Step 3: Configure Custom OTP Delivery for Experience Cloud

• Create Custom Label for referencing the MC Template Name.
  • Navigate to Setup → User Interface → Custom Label → New.
  • Add the name of the message template to Marketing_Cloud_SMS_Template.

• Develop Custom One-Time Password Delivery Handler.
  • Contact Salesforce Customer Support to enable this feature.
  • Create an Apex Class that implements CustomOneTimePasswordDeliveryHandler.
  • Override the sendOneTimePassword method, using Named Credential to call Marketing Cloud and reference the Custom Label.

Step 4: Assign Apex Class as Custom OTP Handler for Experience Site

• Configure OTP Handler in Experience Cloud.
  • Navigate to Setup → Feature → Digital Experiences → All Sites.
  • Click “Builder” for the appropriate site.
  • Go to Administration → Login & Registration.
  • Under Custom One-Time Password (OTP) Delivery, select MarketingCloudSMS as the handler.
  • Click “Save”.

Summary

This guide outlines the integration of Salesforce Marketing Cloud with Experience Cloud to send OTPs via SMS. By following these steps, organizations can enhance their identity verification process with a secure, branded authentication experience.

Any thoughts? Leave them in the comments below!