Determine Business and User Needs for MFA
Even though multi-factor authentication (MFA) is automatically enabled for direct logins to production orgs, we recommend looking for ways to optimize the experience for your users. If your company accesses Salesforce via single sign-on (SSO), understanding your business and users’ needs gives you insights to help define your MFA implementation. By reviewing the considerations in this topic, you can determine the most suitable MFA verification methods for your users.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: all editions |
Here are some questions and potential requirements to consider.
| Existing Authentication Solutions | Does your company use an existing MFA solution, like Okta or Duo, for other systems? If your Salesforce users are already using MFA to log in to other applications, see if you can integrate your Salesforce products with the same solution. Doing so can minimize friction and change management needs because users are already trained for MFA logins. Are your Salesforce products integrated with an SSO solution? You can use your SSO provider’s MFA service. Or, you can use the free MFA service included in Salesforce to satisfy the MFA requirement. See Use Salesforce MFA for SSO (Salesforce Orgs) for details. |
| Device Requirements | Consider if your industry’s or company’s mobile device policies place any constraints on your MFA implementation. For example, does a mobile app-based solution work or should you provide non-mobile options, such as physical security keys or desktop authenticator apps? If mobile apps are an option, does your company provide corporate devices? Or must you integrate MFA data usage and reimbursement guidelines into your Bring Your Own Device (BYOD) policy? |
| User Considerations | Understand how MFA can impact the various roles and teams at your company. For example:
We recommend supporting multiple verification methods in your implementation, so each person can choose the options that work best for them. |
| Shared Salesforce Credentials | Sharing user credentials with multiple users isn’t allowed. MFA is incompatible with this practice because each user must register and connect a unique verification method to their Salesforce account before they can log in. If multiple users in your org are sharing a single account, only one person is able to log in when MFA is turned on. Resolve any shared accounts or credentials that are in use. Make sure you have enough licenses to set up separate accounts for each person who accesses your Salesforce org. If you need help setting up unique user accounts, contact your Account Executive or Sales team. Or refer to Salesforce Checkout and Self Service to Manage Your Account. |
| Budget | Consider the budget you need for operational and user support functions. Salesforce products provide MFA at no extra cost, and the Salesforce Authenticator app is free. But if a mobile app option doesn’t work for some or all users, consider setting aside some budget to purchase and distribute security keys. |
| Security Requirements | Work with your security and IT teams to understand how MFA aligns with your company’s security objectives and requirements. Understand if any enterprise mandates are in place, and what kinds of application testing or evaluation processes you must follow. |
| Legal and Regulatory Requirements | What are your company’s legal commitments to customers and other stakeholders around how your users authenticate to your systems? Also consider local and other regulatory requirements and how they can impact your MFA implementation. For example, some regulatory requirements include restrictions on downloading applications to certain devices or bringing mobile devices into certain environments. |
| Compliance Requirements | What kinds of audit requirements does an MFA implementation affect or trigger? Are you beginning any new compliance regimes in the next 12 months that could be affected by your MFA implementation? |
Determine Suitable Verification Methods for Your Users
When you’ve identified what your business and users need from MFA, use your learnings to decide which verification methods to make available. You can standardize on one type of method that everyone uses, or you can support multiple options and let users choose. As a security best practice, we recommend that you require users to use phishing-resistant verification methods: built-in authenticators or security keys.
Consider the tradeoffs when deciding your approach. When everyone uses the same method, it simplifies onboarding and day-to-day administration responsibilities. But if you have a diverse set of users with a variety of different needs, supporting the full slate of available methods is your best approach. Plus, users are less likely to get locked out of their accounts if they can set up multiple verification methods for themselves.
See Manage Identity Verification Methods for Multi-Factor Authentication (Salesforce Orgs) for guidance on enabling methods and optimizing the registration process for your users.
