Marketo does use 2 factor login authentication by default.
Increase to High Password security [everyone will have to re-set passwords, including API Users if you had one with a login like Kapost]
Separate Marketo User login for SFDC (don't use a person's login).
Refine Roles and Permissions ( I have 20+ now)
Use Workspaces/Partitions to minimize access to sensitive information like Customers by Region or Country.
SSO - just installed this and it works very well, very easy to setup.
One caveat is that some integrations will have to bypass it and you will likely want to let admins bypass (default) which can create some holes.
Another that isn't clean in the docs: You must setup a new user + Role manually with the same email address they have in SSO service. Then they can use the SSO to login directly.
Sandbox users will have to have a separate login still with a different SSO Setup.
IP Authentication - VPN Only - this will drive everyone nuts because it will mean you can only login from your onsite locations or force remote employees to VPN in.
Pay for Encrypted Instance on a secure pod. Little known fact: your DB is NOT encrypted!! Only the connections are.
You must ask your Account Manager for details and it's not cheap. It will take at least a weekend to transfer over. I would personally recommend this if you can afford it to minimize risk further.
Don't do something stupid like sync SSN and PCI data - Marketo is not the place for that data.
.png)