Common Multi-Factor Authentication (MFA) Troubleshooting for Sales and Service

This article is organized into 13 troubleshooting categories. Use the section headings below to navigate to the topic that matches your issue.

Common MFA Error Messages

These errors typically occur during MFA verification in Sales and Service when users authenticate. If you encounter one of these messages, select the relevant article below for resolution steps.

• Salesforce Authenticator Error: "The service is temporarily unavailable. Try again later."
• "Error: Invalid or expired verification code. Try again." with Multi-Factor Authentication (MFA) Sales / Service
• "Error: You've exceeded the allowed number of attempts." When MFA Verification Fails Multiple Times in Sales /Service
• Error "You do not have access" When Connecting to MFA
• Salesforce Authenticator Error: "Your response wasn't sent"

Salesforce Authenticator Troubleshooting

The following articles address common issues experienced with the Salesforce Authenticator mobile app in Sales and Service. If the Authenticator app is not behaving as expected during login or setup, select the relevant article below for targeted resolution steps.

• Users are prompted for MFA verification multiple times when logging in
• How to Log In to Sales/Service When the Salesforce Authenticator Approval Request Is Not Received
• Salesforce Authenticator Push Notifications or Backups Cannot Be Enabled
• Salesforce Authenticator: Automated verification from a trusted location is not working
• "Backup failed" error in Salesforce Authenticator
• Sales/Service: Salesforce Authenticator displays "We received an unrecognized request" error during MFA login

Additional Resource: Salesforce Authenticator Troubleshooting

Salesforce Authenticator Device Migration

The following articles address how to migrate the Salesforce Authenticator app to a new device. This is typically needed when a user replaces their smartphone or gets a new device. Review the relevant article below before beginning a migration to avoid losing access to your Salesforce org.

• How to Set Up Salesforce Authenticator for MFA
• Sales & Service: How to set up Salesforce Authenticator on a new device without a backup
• MFA: Login will fail after deleting Authenticator during migration

Note: Deleting the Salesforce Authenticator app during migration without first completing a backup or reconnection will cause MFA login to fail.

Registering Verification Methods

The following articles cover how users register MFA verification methods in Sales and Service for the first time or when adding additional methods. Users must register at least one verification method before MFA login is required.

• Setting Up MFA Verification Methods for New Users
• How to Set Up MFA Verification Methods in MFA-Enabled Organizations
• Multi-Factor Authentication (MFA) for Sales/Service | How to Register Without a Mobile Device
• Can users register Multiple Verification Methods for MFA?
• How to Select an MFA Verification Method When Multiple Methods Are Registered

Salesforce Authenticator Settings

Setup Method

• How to Set Up Salesforce Authenticator for MFA

Other Settings

• Update your User Information in Salesforce Authenticator

Disconnecting Verification Methods

The following articles cover how to disconnect MFA verification methods in Sales and Service. Disconnecting MFA may be necessary if a user accidentally deletes the authenticator app, replaces their smartphone, or switches devices.

• Sales & Service: How to Disconnect a User's Multi-Factor Authentication (MFA)
• How to Disconnect a Multi-Factor Authentication (MFA) Verification Method as a User
• Delegate MFA Identity Verification Method Disconnection to Non-System Administrator Users
• Disconnect MFA & Generate Temporary Codes (Essentials/Starter)

Note: Disconnecting a user's MFA verification method is typically performed by a System Administrator. Non-admin users may disconnect their own methods in certain configurations

MFA Permission Assignment

The following articles address issues related to assigning MFA-related permissions in Sales and Service. Incorrect permission assignments can prevent MFA from functioning correctly or block users from enabling or waiving MFA for specific user profiles.

• Necessity of the "Multi-Factor Authentication for User Interface Logins" User Permission After Enabling Org-Wide MFA
• Cannot Enable "Multi-Factor Authentication for User Interface Logins" on Standard Profiles
• Error When Assigning the "Manage MFA in User Interface" Permission
• MFA: Unable to Assign "Waive Multi-Factor Authentication for Exempt Users" Permission

Identity Verification Troubleshooting

The following articles address identity verification errors that can occur during MFA login or when adding a new verification method. These issues are often caused by email delivery problems or configuration mismatches in the org.

• Salesforce MFA: Verification Code Email Not Received When Adding New Verification Method
• An Error message, "Problem Verifying Your Identity", displays when generating a temporary verification code for MFA
• "Problem Verifying Your Identity" Error When Logging In to Sales/Service with Multi-Factor Authentication (MFA)

MFA via Single Sign-On (SSO)

The following article addresses MFA behavior when users log in via Single Sign-On (SSO). When SSO is used, MFA may be handled by the identity provider rather than Salesforce, which can affect whether users are prompted for MFA verification.

• Why is MFA Not Required for SSO Login After Auto-Enablement?

Security Keys

The following article addresses issues with FIDO2-compliant physical security keys used as MFA verification methods in Sales and Service. Security keys must be FIDO2 or WebAuthn-compliant to be used for Salesforce MFA.

• Security key is unresponsive for MFA authentication on the Salesforce mobile app

Built-in Authenticators

The following article covers how to manage built-in device authenticators (such as Face ID, Touch ID, or Windows Hello) when switching to a new device. Built-in authenticators are bound to the device they are registered on and must be re-registered on a new device.

• Manage Built-in Authenticators When Switching Devices

Domain Change Considerations

The following article covers important considerations for security keys and built-in authenticators when the My Domain URL is changed in a Salesforce org. Changing the My Domain URL may require users to re-register their security keys or built-in authenticators.

• Considerations for Security Keys and Built-in Authenticators When Changing My Domain URL in Salesforce Core

Note: Customers should review this article before making any My Domain URL changes to avoid MFA login disruptions post-change.

Logging In Temporarily Without MFA

The following article covers how a System Administrator can generate a Temporary Verification Code for a user who is unable to log in after MFA has been enabled in their org. This is typically used when a user has lost access to their registered verification method.

• How to Generate a Temporary Verification Code for a User Unable to Log In After Enabling MFA in Sales / Service

Note: Generating a Temporary Verification Code is performed by a System Administrator within the org. If the System Administrator is also locked out, contact Salesforce Support for assistance.