You are here:
Built-In Authenticators for MFA
Multi-factor authentication (MFA) verification is easy with a built-in authenticator service such as Windows Hello, Touch ID, or Face ID. Users can quickly verify their identity with a fingerprint, iris, or facial recognition scan (or in some cases, with a PIN or password that the user sets up in their device’s operating system). Built-in authenticators (also called platform authenticators) streamline the MFA requirement because they rely on built-in mechanisms rather than users needing a separate authenticator app or physical security key. They're also resistant to phishing attacks, making them highly secure.
This type of method provides the easiest MFA login experience. After a user enters their Salesforce username and password, the built-in authenticator prompts them for a biometric, PIN, or password identifier. Then they’re logged in.
Built-in authenticators are a great option if using a mobile authenticator app isn’t viable. For example, consider this option for users who don’t have a company-provided mobile device. And built-in authenticators can make sense for PCI-compliant environments or situations where a user’s work device doesn’t have ports for a physical security key.
Requirements and Considerations
-
For products built on the Salesforce Platform, a Salesforce admin must enable the use of built-in authenticators before this option is available to users. See Enable Built-In Authenticators for Identity Verification in Salesforce Orgs.
-
Before users can register a built-in authenticator with Salesforce, the service must be enabled on their device and set up to verify their identity via a biometric, PIN, or password.
-
A user’s device, operating system, and browser must support the FIDO2 Web Authentication (WebAuthn) standard. For more information, check out the FIDO website and the WebAuthn guide.
-
A device must include a fingerprint, iris, or facial recognition scanner that’s supported by the built-in authenticator service.
-
Built-in authenticators aren’t supported in non-Chromium versions of the Edge browser.
-
Built-in authenticators can’t be used for MFA verification in the Salesforce mobile app. To log in to the mobile app, users must register an alternate verification method such as Salesforce Authenticator.
-
Built-in authenticators aren't available for Experience Cloud sites.
-
Users accessing Salesforce through an API can't verify their identity with a built-in authenticator.
-
Data Loader OAuth logins don't support the use of built-in authenticators.
To learn more, see FIDO2: Web Authentication (WebAuthn) or the documentation for your users' built-in authenticators.
Behind the Scenes
Registering a built-in authenticator creates a pair of private and public keys that are unique to the user’s account. The private key is stored safely on the user’s desktop or mobile device and is secured by the user’s biometric data. The private key and the user’s biometric data never leave the user’s device and are never shared with Salesforce. When a user logs in to their account, the browser calls the device’s operating system to launch the user’s registered built-in authenticator. Depending on the user’s browser and operating system, the user verifies their identity with an authenticator like Touch ID, Face ID, or Windows Hello.
WebAuthn-compliant built-in authenticators are resistant to phishing and man-in-the-middle attacks. A main reason is because a user’s private key is bound to a domain associated with the user’s account. For example, let’s say a user is tricked into using a malicious site. When the site prompts the built-in authenticator to approve the login request, the authenticator recognizes that the site’s domain isn’t as expected and prevents the user from logging in.
