Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable MFA for Direct User Logins to Salesforce Orgs

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Enable MFA for Direct User Logins to Salesforce Orgs

            Users are contractually required to use multi-factor authentication (MFA) when logging in to Salesforce. To help customers satisfy this requirement, MFA is automatically enabled for direct logins to production orgs. It’s a simple process to turn on MFA for direct logins to other environments such as trial or developer orgs, or for your production org if you’re not using MFA yet. Some uses cases are exempt from the MFA requirement, and some types of exempt users must be manually excluded from receiving MFA challenges when logging in.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            Note
            Note

            For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ.

            • Enable MFA for Your Entire Salesforce Org
              Turn on multi-factor authentication (MFA) for everyone in your org with a single setting. When MFA is enabled, all internal users logging in directly with their username and password must also provide an identity verification method, such as an authenticator app or security key.
            • Enable MFA for External Experience Cloud Site Users (or Specific Internal Users)
              Salesforce doesn’t require multi-factor authentication (MFA) for external users but you can certainly include this class of users in your MFA implementation. To enable MFA for external users who log in directly to your company’s Experience Cloud sites, employee communities, or other types of community portals, apply the Multi-Factor Authentication for User Interface Logins user permission. You can also use the MFA user permission to enable MFA for specific internal users. When MFA is turned on, users logging in directly with their username and password must also provide an identity verification method such as an authenticator app or security key.
            • Enable MFA for Human Logins to Integration User Accounts (Salesforce Orgs)
              Multi-factor authentication (MFA) isn’t required for system integration login types via the API. But MFA is required if admins or anyone else logs in to integration user accounts (also known as API users), even if it’s only to first set up the user or to perform occasional maintenance tasks such as changing passwords or updating security tokens. Integration user accounts are often highly privileged, so MFA is an important mechanism for protecting human logins to these environments.
            • Exclude Exempt Users from MFA for Salesforce Orgs
              Some use cases are exempt from the multi-factor authentication (MFA) requirement. When you or Salesforce enables MFA for your users, many of these use cases — including integration user access via the API — are automatically excluded. But there are a few cases that customers must exclude on their own. If any of these situations apply to your environment, use the Waive Multi-Factor Authentication for Exempt Users user permission.
             
            Loading
            Salesforce Help | Article