Loading
Ongoing maintenance for Salesforce HelpRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set MFA Login Requirements for API Access (Salesforce Orgs)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Set MFA Login Requirements for API Access (Salesforce Orgs)

            Multi-factor authentication isn’t contractually required for system integration login types via the API. But you can add extra protection for API access with the Multi-Factor Authentication for API Logins permission. With this permission enabled, users are required to complete a second authentication challenge to access Salesforce APIs. API access includes the use of client applications such as the Data Loader and connected apps.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To edit system permissions in profiles: Manage Profiles and Permission Sets
            To enable this feature: Multi-Factor Authentication for User Interface Logins
            Note
            Note For full details about the contractual MFA requirement, see the Salesforce Multi-Factor Authentication FAQ.

            The Multi-Factor Authentication for User Interface Logins permission is a prerequisite for the Multi-Factor Authentication for API Logins permission. Before the Multi-Factor Authentication for API Logins permission takes effect, users must access Salesforce through the UI and complete MFA using Salesforce Authenticator or a third-party authenticator app. After users have completed MFA through the UI, they can use time-based, one-time passwords (TOTPs) generated by their authenticator app for API logins.

            Note
            Note You can’t assign the Multi-Factor Authentication for User Interface Logins permission to users with the Salesforce Limited Access – Free license. We're working to resolve this issue.

            For developer tools that use API logins, users log in with a security token or TOTP instead of Salesforce Authenticator when MFA is enabled.

            Note
            Note API Only users can access the UI to register for MFA only. After a successful registration, API Only users can no longer access the UI.

            For connected apps, only these standard OAuth 2.0 flows support API logins with the high assurance MFA session security level.

            • Web server flow
            • Refresh token flow
            • User-agent flow
            • JSON Web Token (JWT) bearer flow

            All other standard OAuth 2.0 flows block API logins with the high assurance MFA session security level. It’s possible that users are prompted to verify their identity twice with high assurance MFA during an OAuth approval flow. The first challenge occurs in the UI session. The second challenge happens when the access token is bridged into the UI. This second challenge is triggered because the high assurance MFA session security level isn’t transferred to the access token. For more information, see Session Security Levels.

            See Also

             
            Loading
            Salesforce Help | Article