Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure the MFA Verification Methods Available to Your Users for Salesforce Orgs

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure the MFA Verification Methods Available to Your Users for Salesforce Orgs

            Salesforce supports four identity verification methods for multi-factor authentication (MFA) and device activation: built-in authenticators, physical security keys, Salesforce Authenticator, and third-party authenticator apps. As a security best practice, require users to use phishing-resistant methods: built-in authenticators or security keys. In orgs created before Summer ’25, Salesforce Authenticator and third-party apps are automatically available to users, but a Salesforce admin must enable the options to use built-in authenticators and physical security keys. In orgs created in Summer ’25 and later, all verification methods are allowed by default. For external users only, you can allow the use of one-time passcodes delivered via SMS text messages.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            • Enable Built-In Authenticators for Identity Verification in Salesforce Orgs
              Allow your users to verify their identity for multi-factor authentication (MFA) or device activation with a built-in authenticator that’s already on their device, such as Touch ID or Windows Hello. After you enable this method, users can register the built-in authenticator on their device so it’s connected to their Salesforce account. Built-in authenticators are phishing-resistant. Enabling and requiring them is a security best practice.
            • Enable Security Keys for Identity Verification in Salesforce Orgs
              Allow your users to verify their identity for multi-factor authentication (MFA) or device activation with WebAuthn (FIDO2) or Universal Second Factor (U2F) security keys. After you enable this method, users can register a security key so it’s connected to their Salesforce account. Security keys are phishing-resistant. Enabling and requiring them is a security best practice.
            • Use SMS as an MFA Verification Method for External Users
              If you enable multi-factor authentication (MFA) for your customer or partner Experience Cloud sites, external users can log in using one-time passcodes delivered via SMS text messages. Users need only a verified mobile number and access to their device when they log in. This option is available for external users only. External users can also verify their identity with other supported MFA verification methods such as Salesforce Authenticator built-in authenticators, security keys, and third-party authenticator apps.

            See Also

             
            Loading
            Salesforce Help | Article