You are here:
Verification Methods for Multi-Factor Authentication
The multi-factor authentication (MFA) login process requires users to provide an identity verification method in addition to their username and password. Salesforce products support several types of verification methods, including built-in authenticators, physical security keys, and authenticator apps. As a security best practice, require users to use phishing-resistant verification methods: built-in authenticators or security keys. Here’s an overview to help you identify which options work best for your business and your users.
The MFA functionality provided by Salesforce doesn’t allow the use of security questions or one-time passcodes delivered via email, SMS text messages, or phone calls. This restriction is intentional because of the inherent vulnerabilities with these methods. Email credentials can be compromised and mobile phone numbers can be intercepted via SIM swapping attacks or hacked mobile device accounts.
For users who log in with single sign-on (SSO), your SSO provider’s MFA service may support methods that aren’t discussed here. See the Salesforce Multi-Factor Authentication FAQ for guidance on verification methods that satisfy the MFA requirement.
Let’s look at the benefits and considerations for each type of verification method supported by Salesforce products.
| Built-In Authenticators (Phishing-resistant) | Security Keys (Phishing-Resistant) | Salesforce Authenticator | Third-Party Authenticator Apps |
|---|---|---|---|
| Operating system-level authentication that verifies identity with fingerprint, iris, or facial recognition scan, or a PIN or password. | Physical devices that use public-key cryptography. | A smart and simple mobile app that users can easily connect to their Salesforce accounts. | Apps that generate unique, temporary verification codes based on the OATH TOTP algorithm (specified in RFC 6238). |
Form Factor: Available via a device’s built-in authenticator service (for example, Windows Hello, Touch ID, and Face ID) |
Form Factor: USB, Lightning, and NFC devices that support the WebAuthn and U2F standards |
Form Factor: Mobile app for iOS and Android |
Form Factor: Mobile, desktop, and browser extension apps available for multiple operating systems |
User Experience:
|
User Experience:
|
User Experience:
|
User Experience:
|
Considerations:
|
Considerations:
|
Considerations:
|
Considerations:
|
| Cost: Starts around $25 for biometric peripherals, if needed | Cost: Starts around $20 | Cost: Free | Cost: Free and paid options |
| Learn More | Learn More | Learn More | Learn More |
For guidance on how users can set up and log in with MFA verification methods, see the MFA help documentation for your product. For example, for products built on the Salesforce Platform, see Help Users Register MFA Verification Methods for Salesforce Orgs.
Encourage all users — especially Salesforce admins — to register multiple verification methods so they can avoid getting locked out of your org. If someone forgets or loses their primary method, they have other options for logging in.
Security keys and built-in authenticators must be enabled for products built on the Salesforce Platform before these options are available to users. See Configure the MFA Verification Methods Available to Your Users for Salesforce Orgs.
Notes:
‣ If users don’t want to use a mobile authenticator app, consider a TOTP desktop authenticator app or browser extension.
‣ Security keys that use the NFC form factor aren’t supported in products built on the Salesforce Platform.
‣ WebAuthn-compatible security keys aren’t supported in non-Chromium versions of the Edge browser.
‣ For U2F security keys, see Update U2F Security Keys to Support WebAuthn Authentication to ensure they continue to work.
‣ Built-in authenticators are supported in products built on the Salesforce Platform, Heroku, Marketing Cloud Intelligence, MuleSoft Anypoint Platform, and Tableau Cloud.
