You are here:
Security Keys for MFA
Security keys are small physical devices that are easy to use for multi-factor authentication (MFA) logins because there’s nothing to install and no codes to enter. This type of method is a great option if users don’t have a mobile device or if phones aren’t allowed where your users work (such as a PCI-compliant service center). Security keys require a supported browser to act as an intermediary between the key and your Salesforce product. Popular security keys include the YubiKey from Yubico and the Titan Security Key from Google. Security keys are phishing-resistant, making them a highly secure option.
Security keys make MFA logins fast and simple. After entering their username and password, a user is prompted to connect the security key to their computer via a port or wirelessly. Then they press the button on the key to confirm their identity, and they’re logged in.
Security keys aren’t biometric devices, even though some have a button that requires the user’s touch to activate the device. After the user inserts and activates the security key, it generates the required credentials, and the browser passes them on to Salesforce to complete the login.
Security keys are easy to deploy and work well in environments where mobile devices aren’t an option. Users can use the same security key with multiple service providers and multiple Salesforce orgs and accounts.
If you’re allowing the use of security keys, plan to procure and distribute them to your users. It’s also a good idea to stock some extra keys so you have a reserve inventory. Alternatively, users can self-provision their own security keys. These devices don’t require up-front registration by IT or admins.
Requirements and Considerations
Security keys are supported in all Salesforce products.
-
For products built on the Salesforce Platform, a Salesforce admin must enable the use of security keys before this option is available to users. See Enable Security Keys for Identity Verification in Salesforce Orgs.
-
You can use any USB-A, USB-C, Lightning, or NFC security key that's compatible with the WebAuthn (FIDO2) or FIDO Universal Second Factor (U2F) standards.
Security keys can look similar to other USB authentication devices that users carry on a keychain. Look for the FIDO logo indicating that the device is compatible with the WebAuthn or U2F standards. If you’re not sure, verify with your security hardware vendor that their keys are WebAuthn- or U2F-compliant.
- Security keys require a supported browser.
- For WebAuthn-compliant keys: Chrome, Edge Chromium, Firefox, or Safari
- For U2F-compliant keys: Chrome (version 41 or later) or Edge Chromium
-
NFC devices aren’t supported in products built on the Salesforce Platform.
-
Data Loader OAuth logins don't support the use of security keys.
-
For products built on the Salesforce Platform: If a user registered a U2F key before Summer ’22, the registration is encrypted with a master encryption key accessible on the Certificate and Key Management page in Setup. Be careful when handling this master encryption key. If it’s deleted, the user isn’t able to log in with their U2F key. When you use the key for the first time after Summer ’22, it updates to become WebAuthn-compatible. After the update, this warning no longer applies. Read about how to back up and manage master encryption key material in Manage Master Encryption Keys.
Behind the Scenes
The WebAuthn and U2F standards use strong public-key cryptography to protect users from man-in-the-middle attacks and malware. To learn more about what’s happening behind the scenes with security keys, check out the WebAuthn Guide or the FIDO U2F site.
