Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Implement Multi-Factor Authentication for Salesforce Orgs

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Implement Multi-Factor Authentication for Salesforce Orgs

            Multi-Factor Authentication (MFA) adds a verification factor beyond passwords, significantly reducing the risk of account compromise.

            Control Name

            Multi-Factor Authentication (MFA) Enforcement for Salesforce Orgs

            Recommended Configuration

            Enforce MFA for all user authentication paths, including direct logins, single sign-on (SSO), and API access.

            Control Overview

            MFA adds a factor beyond passwords, significantly reducing the risk of account compromise. Salesforce supports MFA enforcement for direct logins, SSO-based authentication, and API access to protect users, integrations, and sensitive data across environments.

            Security Risk If Not Configured

            Without MFA, accounts are protected only by passwords, which can be stolen, guessed, or reused, which significantly increases the likelihood of unauthorized access. This is especially true for privileged users and API integrations.

            Threat Scenarios

            Phishing-based credential theft, brute-force password attacks, compromised credentials reused across systems, unauthorized API access using stolen credentials or tokens.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Risk severity depends on the authentication method, user privilege levels, exposure of the org, and whether access occurs via UI, SSO, or APIs.

            Higher Risk When

            MFA is not enforced for production orgs, sandbox or developer orgs, when SSO provider sessions lack MFA, or when allowing API access without additional authentication requirements.

            Low Risk When

            • Direct Login MFA: MFA is enabled for all direct user logins across production, sandbox, trial, and developer orgs.
            • SSO MFA Enforcement: MFA is enforced at the SSO provider or via Salesforce high-assurance authentication policies.
            • API MFA Protection: MFA for API Logins permission is enabled to protect API-based access and client applications.
            • Privileged User Coverage: MFA is enforced for all admin and high-privilege users without exception.

            Business and Integration Considerations

            Customers should assess MFA compatibility with user populations, automation tools, and integrations. API-based workflows can require service accounts or permission-based exceptions that still maintain strong security controls.

            Recommended Remediation

            Mandate MFA for all direct logins, SSO, and API access. Regularly audit policies and ensure coverage for privileged users.

            Security Health Review Guidance

            Security Health Review assesses MFA enforcement across login methods, helping customers minimize credential-based risks and meet Salesforce security baselines and Zero Trust standards.

            See Also

             
            Loading
            Salesforce Help | Article