Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Learn What MFA Is and Why It’s So Important

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Learn What MFA Is and Why It’s So Important

            As security threats grow more common, it's increasingly important to implement strong measures to protect your Salesforce data, your business, and ultimately, your customers. Usernames and passwords alone are no longer sufficient for guarding against unauthorized account access. Multi-factor authentication (MFA) with phishing-resistant methods such as built-in authenticators and security keys is one of the simplest, most effective ways to enhance the security of your login process because it requires multiple pieces of evidence to prove a user is who they say they are.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            Important
            Important

            As a safeguard against unauthorized account access, customers are contractually required to use MFA when logging in — either directly with a username and password or via single sign-on (SSO). To help users satisfy this requirement, MFA is automatically enabled for direct logins to production orgs. For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ.

            How MFA Works

            Check out this video for a visual tutorial of how MFA works.

            MFA ensures a user’s identity by requiring multiple “factors” during the login process.

            • The first factor is something a user knows — their username and password.
            • After that, the user is prompted for a second factor that’s in their possession — an identity verification method such as an authenticator app or security key.

            By tying user access to several different types of factors, it’s harder for a bad actor to gain entry to your Salesforce environment. Even if a user’s password is compromised, the odds are low that an attacker can guess or impersonate a factor that a user physically possesses.

            Each user must spend a few minutes registering at least one verification method so it’s connected to their Salesforce account. The first time a user logs in after MFA is turned on, they’re asked to do this task. On-screen prompts guide users through the simple process.

            Verification Method Options

            Salesforce supports several types of identity verification methods, including authentication services that are built into a computer’s operating system, physical security keys, and a variety of mobile and desktop authenticator apps. Many of these options are available for free. To learn more about your verification method options, see Verification Methods for Multi-Factor Authentication.

            Important
            Important As a security best practice, require users to use phishing-resistant verification methods: built-in authenticators or physical security keys. For more information about the security benefits of these methods, see the WebAuthn guide.

            You can deploy as many of the supported types of methods as needed to meet your business and user requirements.

            Tip
            Tip Encourage users to register multiple verification methods to avoid the risk of getting locked out of Salesforce. If a user forgets or loses one method, they have other options to fall back on.

            See Also

             
            Loading
            Salesforce Help | Article