Configure the MFA Verification Methods Available to Users for Salesforce Orgs

Control Name

Multi-Factor Authentication (MFA) Verification Methods Configuration

Recommended Configuration

Enable phishing-resistant MFA verification methods, prioritizing built-in authenticators, hardware security keys, and certificate-based authentication.

Control Overview

Salesforce supports multiple MFA verification methods to allow users to verify their identity during login or device activation. These methods range from phishing-resistant authenticators, such as biometrics and hardware security keys, to weaker methods such as SMS-based passcodes. Selecting strong verification methods significantly reduces the risk of credential theft and social engineering attacks.

Security Risk If Not Configured

If strong MFA verification methods are not enabled, users can rely on weaker or less phishing-resistant options. This increases susceptibility to phishing, credential replay, SIM-swapping, and social engineering attacks that can lead to unauthorized access.

Threat Scenarios

Phishing attacks capturing one-time passcodes, SIM swap attacks targeting SMS-based MFA, session hijacking due to lack of origin-bound authentication, impersonation of users or systems without certificate validation.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk severity depends on user type (internal vs external), access privilege levels, exposure of Experience Cloud sites, and whether authentication methods are phishing-resistant.

Higher Risk When

Only SMS-based MFA is available, phishing-resistant authenticators are not enabled, hardware security keys are not supported, or system-to-system authentication lacks certificate-based validation.

Low Risk When

This control can be considered low risk when implementing one or more of the following:

• Built-In Authenticators: Device-based biometric authenticators such as Touch ID, Face ID, or Windows Hello are enabled.
• Hardware Security Keys: WebAuthn (FIDO2) or U2F security keys are supported and adopted by users.
• Certificate-Based Authentication: Mutual certificate validation is enforced for secure user or system authentication.
• Limited SMS Usage: SMS-based MFA is restricted to external users only and supplemented with additional safeguards where possible.
• Require User Verification During MFA Verification: During MFA verification, user verification is configured to be enforced to verify the user.

Business and Integration Considerations

Customers should consider user experience, device compatibility, external user populations, and regulatory requirements when selecting MFA methods. External-facing Experience Cloud sites can require phased adoption of stronger authentication methods.

Recommended Remediation

Enable built-in authenticators and hardware security keys, configure certificate-based authentication where applicable, limit or phase out SMS-based MFA, and regularly review MFA method adoption and usage.

Security Health Review Guidance

Security Health Review evaluates MFA verification methods to help customers adopt phishing-resistant authentication, reduce identity-based attack risk, and align with Salesforce-recommended security baselines and Zero Trust principles.