Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Third-Party Authenticator Apps for MFA

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Third-Party Authenticator Apps for MFA

            Salesforce multi-factor authentication (MFA) supports the use of third-party authenticator apps that generate time-based one-time password (TOTP) codes. There are many mobile, desktop, and browser extension apps available, including free versions. Some popular options include Google Authenticator, Microsoft Authenticator, Authy, and password managers such as LastPass and 1Password.

            To log in using this type of verification method, the user gets a code from their authenticator app. Then they enter that code during the Salesforce login process.

            TOTP authenticators can generate codes even if the user’s phone doesn’t have a data or internet connection.

            Note
            Note We highly recommend that users set up a PIN or biometric requirement on their mobile device to ensure that unauthorized parties aren’t able to access their authenticator app.

            Requirements and Considerations

            Important
            Important As a security best practice, require users to use phishing-resistant verification methods: built-in authenticators or physical security keys. For more information about the security benefits of these methods, see the WebAuthn guide.

            • Third-party authenticator apps are supported by all Salesforce products that provide MFA functionality.

            • Users can log in using any authenticator app that generates temporary codes based on the OATH time-based one-time password (TOTP) algorithm (RFC 6238).

            • In addition to the TOTP algorithm requirement, products built on the Salesforce Platform can use TOTP hardware tokens that meet these requirements:

              • Base32 encoded, 20-byte secret
              • 6-digit code
              • 30-second counter
              • SHA1

              To associate a hardware token with a user, insert a TwoFactorInfo object into the database, as described in the Salesforce Object Reference. Provide the Secret, the user's ID, and specify the Type field as TOTP. You can use the Data Loader, Workbench, or custom Apex to insert TwoFactorInfo objects into the database.

            • We recommend using mobile authenticator apps because they exist separately from a user's laptop or workstation. That way, if a bad actor manages to gain access to a user's computer, the user's second factor isn't also compromised. However, if a desktop authenticator app or browser extension is the only option that works for your users, you can satisfy the MFA requirement with these types of methods.
              Note
              Note The Synebo Chrome extension doesn’t comply with the MFA requirement.

              Many password managers allow users to generate TOTP codes for MFA authentication. We recommend using this capability only from password managers that are accessed from mobile devices, or if the password manager itself has MFA protection (for example, using biometric authentication).

            Behind the Scenes

            TOTP authenticator apps generate temporary codes on the basis of a secret key (known only to the user and the service, such as Salesforce) and the current time. A code is valid for 30 seconds and then a new one is generated.

            See Also

             
            Loading
            Salesforce Help | Article