SMS Identity Verification

By default, SMS one-time passcodes are available to Salesforce users as a verification method for device activation only. SMS one-time passcodes aren’t allowed as a verification method for internal users when multi-factor authentication (MFA) is enabled. However, external users who only access your Experience Cloud sites can use SMS one-time passcodes to log in with MFA. Learn how to configure this option. For information about the contractual requirement to use MFA when accessing Salesforce products, see the Salesforce Multi-Factor Authentication FAQ .

When a user requests an SMS one-time passcode, Salesforce sends a six-digit passcode to their verified mobile number. To finish verifying their identity, the user must enter the passcode in Salesforce within 15 minutes of receiving it.

If a user misses the 15-minute window to enter the passcode, they can request a different one. To limit the abuse of SMS functionality, users can’t request a passcode more than five times within the span of one hour.

• Countries Supported for SMS Identity Verification
  These countries and regions are supported for SMS delivery in Salesforce orgs and Experience Cloud sites. For information about unsupported countries and regions, see our compliance documentation.