Loading

Salesforce Multi-Factor Authentication FAQ

Publish Date: Apr 22, 2025
Description

Customer trust is our highest priority at Salesforce. The global threat landscape is constantly evolving, and the types of attacks that can cripple a business and exploit consumers are on the rise. To help protect against these types of threats, Salesforce requires all customers to use multi-factor authentication (MFA) when accessing Salesforce products. MFA is one of the easiest, most effective tools for enhancing login security, and safeguarding your business and data against security threats.

Use this document to understand MFA requirement policies and to ensure your users are satisfying this contractual requirement. For guidance on configuring MFA for your Salesforce product, see the 'MFA Help for Your Salesforce Products' section on the MFA customer site.

This article was last updated on: June 28, 2024.

Resolution

Frequently Asked Questions

Requirement to Enable MFA

Scope of the MFA Requirement

MFA for Direct Logins to Salesforce Products

MFA for SSO Logins to Salesforce Products

Verification Methods for MFA

Be Prepared for MFA

MFA Requirement Guidance for Salesforce Partners/Service Providers

Learn More

 

Requirement to Enable MFA

 

What is MFA and how does it work?

MFA increases protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key. A familiar example of MFA at work is the two factors needed to withdraw money from an ATM. Your ATM card is something that you have and your PIN is something you know.

By tying user access to multiple, different types of authentication factors, it’s much harder for a bad actor to access your Salesforce environment. For example, even if a user’s password is stolen, the odds are very low that an attacker will also be able to guess or hack a code from the user’s authentication app.

To learn more, check out the How Multi-Factor Authentication Works to Protect Account Access video.

Back to Top

 

What is the MFA requirement?

All internal Salesforce users are contractually required to use MFA for every login through the user interface to Salesforce products (including partner solutions). The requirement applies equally to direct logins using a Salesforce username and password and to single sign-on (SSO) logins.

The MFA requirement went into effect on February 1, 2022. The requirement is documented in the terms of service in the Notices and Licenses Information section of the Salesforce Trust and Compliance Documentation and the applicable Salesforce User Guide.

For direct logins to Salesforce products, MFA functionality is provided at no extra cost. For SSO logins, use your SSO provider’s MFA service.

See also:

Back to Top

 

Why is Salesforce requiring MFA?

There's nothing more important than the trust and success of our customers. As the global threat landscape evolves, the types of attacks that can cripple business and exploit consumers are on the rise

A key part of your security strategy is safeguarding access to your Salesforce user accounts. On their own, usernames and passwords no longer provide sufficient protection against cyberattacks. That's where MFA comes in. It's one of the simplest, most effective ways to prevent unauthorized account access and safeguard your data and your customers' data. We're requiring customers to implement MFA to help mitigate the risks stemming from threats like phishing attacks, credential stuffing, and compromised devices.

Back to Top

 

What has Salesforce done to help customers satisfy the MFA requirement?

With one exception, MFA is now a permanent part of the direct login process for all Salesforce products. When users log in to a Salesforce product with their username and password, they are also prompted to provide an MFA verification method. See How are my users affected when MFA is turned on? for more details.

For products built on the Salesforce Platform, see What is the current plan for enforcing MFA for products built on the Salesforce Platform?

Note: Users who access Salesforce products through SSO aren’t affected by the MFA functionality provided by Salesforce. But remember that MFA is contractually required for all Salesforce users who authenticate via SSO. See Will Salesforce enforce MFA for SSO? for more information.

Back to Top

 

How can we verify that our MFA implementation satisfies the MFA requirement?

To confirm that you’re using an MFA solution that meets the requirement, review the terms of service in the Notices and Licenses Information section of the Salesforce Trust and Compliance Documentation and the applicable Salesforce User Guide, as well as the details in this FAQ.

You can also use the MFA Requirement Checker, which guides you through a few questions to see if your implementation meets the requirement. The site provides next steps if you're not quite there yet.

If you have an IT or cybersecurity team, we recommend getting their guidance. And you can always take your questions to the MFA - Getting Started Trailblazer Community group.

Back to Top

 

Is it necessary to certify that our MFA implementation satisfies the MFA requirement?

Salesforce doesn’t require customers to certify compliance with their contractual obligations. In keeping with this practice, customers don’t need to obtain formal certification or otherwise attest to Salesforce that they satisfy the contractual MFA requirement.

Back to Top

 

What happens if we don't satisfy the MFA requirement?

The MFA requirement went into effect on February 1, 2022, and since that time, Salesforce has enabled and enforced MFA for direct logins to Salesforce products. If your products don’t satisfy the MFA requirement because you haven’t implemented MFA for SSO logins and/or you’ve disabled your products’ Salesforce MFA functionality:

  • You’re out of compliance with your contractual obligations under the Main Services Agreement (MSA), which incorporates MFA terms of service via the Notices and Licenses Information section of the Salesforce Trust and Compliance Documentation.

  • You assume any risks associated with not using MFA when accessing Salesforce products.

We recommend speaking with your legal team to understand the implications of not using MFA. You can also contact your Salesforce representative if you're concerned about how to satisfy the requirement. We'll work with you to find a solution.

Back to Top

 

What is the current plan for enforcing MFA for products built on the Salesforce Platform?

Data protection is a shared responsibility, where Salesforce builds security into our products and customers leverage the provided resources and tools — including MFA — to further strengthen the security of their Salesforce orgs. Thanks to the partnership of our customers and their commitment to safeguarding user account access, the program to automatically enable MFA has been extremely successful.

Because of the high rate of MFA adoption for products built on the Salesforce Platform, and wanting to be respectful of our customers’ valuable time and resources, we’ve shifted to a notification model instead of technically enforcing MFA. We recognize that it could be helpful for Salesforce admins to retain the option to briefly disable MFA for testing or configuration purposes. However, customers should keep in mind that if they turn off MFA, they're out of compliance with their contractual obligation to use it so they should re-enable it as soon as possible.

For more information about MFA non-compliance notifications, see this release note.

What does this change mean for the MFA requirement?
The contractual requirement to use MFA remains in effect. We’ll be keeping track of MFA usage across all Salesforce orgs. If MFA adoption rates for products built on the Salesforce Platform decline, we’ll resume the program to technically enforce MFA — with advance notice, of course!

Note that there are no changes to MFA enforcement for other Salesforce products.

Back to Top

 

As a potential or new customer, how does the MFA requirement apply to my Salesforce products?

MFA is automatically part of the direct login experience for all Salesforce products. When you purchase a Salesforce product, MFA is required every time users log in directly to your production environment's user interface. After entering their username and password, users are prompted to verify their identity with an additional verification method. At first login, users are prompted to select and register a verification method. On-screen prompts guide users through the registration steps. See How are my users affected when MFA is turned on? for more details. And see the Verification Methods for MFA section for more information about the types of methods available to your users.

If you’re planning to integrate your Salesforce products with single sign-on (SSO), ensure that MFA is included in your implementation. You can use your SSO provider’s MFA service. Or, for products that are built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

Back to Top

 

Scope of the MFA Requirement

 

Which user, login, and environment types require MFA?

Customers can satisfy the MFA requirement by ensuring that MFA is enabled for all internal users who log in to Salesforce products (including partner solutions) through the user interface. See the following tables for full details about how user types, login types, and environments are affected by the requirement.

MFA Requirements for User Types

User Type

MFA Required to Log In?

Notes

Internal users

Yes

An internal user is anyone who has a standard user license and can access your Salesforce org's UI, including admins, developers, privileged users, standard users, and users authorized to act on your company's behalf, such as partners and third-party agencies.

External users

No

External users can only access your company's Experience Cloud sites, e-commerce sites or storefronts, help portals, employee communities, and so forth. For products built on the Salesforce Platform, an external user is anyone who has a Community, Employee Community, or External Identity license. See Is MFA required for customer and partner Experience Cloud sites? for more information.

Tableau Cloud customers: MFA isn't required for Tableau Cloud external users who consume visualizations in embedded contexts or for external users of a customer's Tableau Cloud site.

Note that some local jurisdictions or industries have stricter regulatory requirements regarding MFA that can result in these types of users requiring MFA.

Chatter External, Chatter Free users

No

 

Chatter Only (Chatter Plus) users

Yes

 

 

MFA Requirements for Login Types and Authentication Methods

Login Type / Authentication Method

MFA Required?

Notes

Direct (Human) Logins to the UI

Yes

Applies to all Salesforce interfaces, including mobile apps and client apps like Data Loader. (Note that Data Loader has two login options. When MFA is enabled, the OAuth option, a UI login, generates an MFA challenge while Password Authentication, an API login, does not. The Data Loader OAuth option doesn't support security keys or built-in authenticator verification methods.)

MFA is required if admins or anyone else logs in to integration user (also known as API user) accounts. See Is MFA required for my integration users? for more information.

See the MFA for Direct Logins to Salesforce Products section for more information.

SSO (SAML, OpenID Connect)

Yes

See the MFA for SSO Logins to Salesforce Products section for more information.

Automated Testing and RPA Account Logins to the UI

No

See Is MFA required for RPA or automated testing accounts? for more information.

System Integration Login Types via the API

No

See Is MFA required for my integration users? for more details.

Device Activation / Identity Verification

Yes

Device activation isn't the same as MFA and it doesn't satisfy the MFA requirement. Salesforce products that include device activation must require MFA for every login. See What is Device Activation and how is it related to MFA? for more information.

Delegated Authentication

Yes

 

Risk-Based/Continuous Authentication

Depends

See Does risk-based / continuous authentication meet the MFA requirement? for details.

Trusted Corporate Devices / Device Certificates

Depends

See Do trusted corporate devices meet the MFA requirement? for details.

Trusted Networks

Depends

See Does restricting logins to trusted networks meet the MFA requirement? for details.

User Certificates

Depends

See Do user certificates meet the MFA requirement? for details.

 

MFA Requirements for Types of Orgs and Tenants

Org / Tenant Type

MFA Required?

Notes

Production environments

Yes

 

Experience Cloud sites,
e-commerce sites, help portals, employee communities

No

See Is MFA required for customer and partner Experience Cloud sites? for more information.

Sandbox environments (Partial, Full, Developer, Pro)

See Notes

See Is MFA required for sandbox environments? to learn how the MFA requirement applies to internal testing environments.

Scratch orgs

No

 

Developer Edition and Partner Developer Edition environments

See Notes

The MFA requirement does not apply to these environments. But we strongly recommend enabling MFA for DE orgs that include any customer data, intellectual property, or other Salesforce production data.

Enablement Sites (myTrailhead)

Depends

If you use Salesforce Identity for Enablement as the authentication provider for your enablement site, MFA is required. After MFA is enabled for your Salesforce org, users who access your enablement site are automatically prompted to satisfy an MFA challenge when logging in.

If you use a Trailblazer account  as the authentication provider for your enablement site, MFA is not required.

Trailhead Playgrounds

No

 

Trials

See Notes

Trials have a grace period before the MFA requirement applies. See Is MFA required for product trials? for details.

Back to Top

 

Is MFA required for Salesforce products accessed via single sign-on (SSO)?

Yes, the MFA requirement applies to all users who access a Salesforce product’s user interface, whether by logging in directly or via SSO. If your Salesforce products are integrated with SSO, ensure that MFA is enabled for all your Salesforce users. For example, you can use your SSO provider’s MFA service. Or, for products that are built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

Customers are fully responsible for the protection of accounts that are accessed using their SSO identity provider (IdP). An identity provider is a trusted system that stores and manages digital identities and authenticates your users.

See also:

Back to Top

 

Is MFA required for customer and partner Experience Cloud sites?

MFA is not required for your company's Experience Cloud sites, employee communities, help portals, or e-commerce sites/storefronts. You don't have to enable MFA for external users who access these sites. You can identify external users by these types of licenses:

  • Community licenses

  • External Identity licenses

  • Employee Community licenses (either a Salesforce Platform license paired with a Company Community for Lightning Platform permission set license or a legacy Company Community license)

MFA is not required for external users who were issued non-community licenses by Salesforce or a Salesforce partner solely for the purpose of accessing employee or other communities.

Note that MFA is required for internal users (that is, anyone with a standard user license) who log in to your company's Employee Community or other Experience Cloud sites.

Back to Top

 

Are logins to Salesforce mobile and desktop apps included in the MFA requirement?

Yes. All Salesforce, custom, AppExchange, and partner mobile and desktop apps that are accessed via user interface logins are included in the MFA requirement. This includes the Salesforce Mobile App, the Marketing Cloud mobile app, Salesforce Inbox, Quip, and integrations with Gmail™ and Outlook®.

Note: On the Login History page in Setup, logins to Salesforce mobile apps display as 'Remote Access 2.0' login types. And subsequent app usage is often handled with token exchanges via API calls. However, mobile app users are not API users. Mobile app logins require MFA because users are logging in to the user interface.

Back to Top

 

Is MFA required for sandbox environments?

Whether MFA is required for your sandbox environments depends on the Salesforce product.

  • For products built on the Salesforce Platform:

    • Sandboxes are currently excluded from the MFA requirement. The requirement may apply in the future.

    • Even though MFA isn’t required for sandboxes at this time, we strongly recommend using MFA for these environments if they include any intellectual property, customer data, or other Salesforce production data.

  • For B2C Commerce and Marketing Cloud Intelligence: MFA is required for sandbox environments. These environments will be affected when MFA is enforced for B2C Commerce and Marketing Cloud Intelligence customers.

  • For products that don't have formal sandbox environments -- such as Marketing Cloud Engagement and Tableau Cloud -- even if you have tenants, orgs, or instances that are used solely for testing purposes, MFA is required for these environments.

Back to Top

 

Is MFA required for my integration users?

The MFA requirement doesn't apply to system integration login types via the API.

Notes:

  • MFA is required if admins or anyone else logs in to integration user accounts (also known as API users) – even if it’s only to first set up the user or to perform occasional maintenance tasks such as changing passwords or updating security tokens. These types of users are often highly privileged, so it’s important to use MFA to protect human access to these accounts.

  • For products built on the Salesforce Platform: If an org is used solely for integration purposes, the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting doesn’t have any impact on your org’s operations. It’s safe and recommended to leave this setting turned on.

Back to Top

 

Is MFA required for RPA or automated testing accounts?

No, accounts for test automation tools, such as Selenium™, Cucumber™, or Appium®, and Robotic Process Automation (RPA) systems such as Automation Anywhere®, don't require MFA. These types of accounts aren't likely to be phished. But you should take precautions with the credentials for automation accounts to guard against bad actors using them to gain access to your Salesforce environments. If your RPA or testing tools support automating MFA with time-based one-time passcodes (TOTP) during login, we recommend doing so. Other options include managing automation account credentials via a privileged account management (PAM) system.

See also:

Back to Top

 

Does risk-based / continuous authentication meet the MFA requirement?

Risk-based authentication, also known as adaptive authentication or Continuous Adaptive Risk and Trust Assessment (CARTA), is an authentication system that continually analyzes the risk associated with a user by monitoring multiple signals coming from the user, the user’s device, and how and when the user accesses services. If the level of risk in a given situation warrants, the identity provider or authentication service automatically requires the user to satisfy additional security challenges. To learn more, see this article.

If you've already integrated a risk-based authentication system with your SSO solution, your implementation complies with the MFA requirement. If you'd like to consider this type of solution, there are a number of technology providers that you can work with.

See also:

Back to Top

 

Do trusted corporate devices meet the MFA requirement?

On their own, trusted corporate devices with certificates issued by services like Active Directory or Mobile Device Management (MDM) don’t satisfy the MFA requirement because device certificates can be compromised and used by anyone who has access to the device.

If you use device certificates for user access, you should turn on MFA for your SSO identity provider or your Salesforce products. If that’s not feasible, however, you can satisfy the MFA requirement by meeting these two conditions for SSO or direct logins:

  • Users must log in from trusted corporate devices that have been issued a device certificate and are managed by a device management solution, and

  • Trusted devices are used only on a trusted network, such as a corporate network accessed from the office or a corporate-provided secure network access solution such as VPN or a zero trust network access (ZTNA) product.


In addition, we recommend following good IT hygiene practices, including enabling endpoint security software, such as Windows Defender or CrowdStrike, on trusted devices.

See also:

Back to Top

 

Does restricting logins to trusted networks meet the MFA requirement?

On its own, using a trusted network doesn’t satisfy the MFA requirement. If you require users to be on a trusted network to access SSO, you should turn on MFA for your SSO identity provider. Similarly, if your Salesforce product supports using IP allowlists, trusted IP ranges, or login IP ranges to control direct logins, we recommend turning on your product's MFA functionality to satisfy the MFA requirement.

But if that’s not feasible, you can satisfy the MFA requirement by meeting these two conditions for SSO or direct logins:

  • Users must log in from trusted corporate devices that have been issued a device certificate and are managed by a device management solution, and

  • Trusted devices are used only on a trusted network, such as a corporate network accessed from the office or a corporate-provided secure network access solution, such as VPN or a zero trust network access (ZTNA) product.


In addition, we recommend following good IT hygiene practices, including the use of endpoint security software, such as Windows Defender or CrowdStrike, on trusted devices.

See also:

Back to Top

 

Does using VPN or Zero Trust Network Access satisfy the MFA requirement?

On its own, a secure network access solution such as VPN or a zero trust network access (ZTNA) product doesn’t satisfy the MFA requirement. If using MFA for SSO or direct logins isn't feasible, customers can satisfy the MFA requirement by requiring the use of both trusted networks and trusted devices to access Salesforce products.
If a user connects via network access technology, such as VPN or a ZTNA product, they satisfy the criteria for being on a trusted network. To satisfy the trusted device criteria, you need to:

  • Limit trusted network access to corporate managed devices

  • Or, if you allow unmanaged devices on your corporate network, secure the user by requiring MFA for network access or by using a risk-based/continuous authentication system


If using a combination of trusted devices and trusted networks isn't an option, satisfy the MFA requirement by turning on MFA for your SSO identity provider or your Salesforce products.

See also:

Back to Top

 

Do user certificates meet the MFA requirement?

If you use certificate-based authentication for your Salesforce org, or if your SSO implementation uses user certificates instead of usernames and passwords, you don’t satisfy the MFA requirement.

To meet the requirement, you should turn on MFA for your Salesforce products or your SSO identity provider. But if that’s not feasible, you can achieve MFA and satisfy the requirement by configuring your certificate service to require a PIN before users can select or receive a user certificate (for example, when logging in with a PIV or CAC card).

See also:

Back to Top

 

Can we use a password manager instead of MFA?

A password manager plays an important role in your defense-in-depth strategy, but it's not a substitute for MFA. You can use this type of tool to ensure that users create strong and hard-to-predict passwords, don't reuse passwords, and change passwords on a recommended schedule. But passwords — even strong ones — aren't sufficient protection against unauthorized account access because they can be compromised by common threats like phishing attacks, credential stuffing, and malware. Password managers don't provide the enhanced login security that you get by requiring two or more authentication factors via MFA.

Back to Top

 

Is MFA required for product trials?

Trials of Salesforce products have a grace period before the MFA requirement applies. If a trial period is extended or otherwise lasts longer than 45 days, MFA must be enabled for all users in the environment by the 45th day. When a trial is converted to production, MFA is automatically enabled for direct logins and all users must provide a verification method in addition to their username and password.

Back to Top

 

Are there any products that are excluded from the MFA requirement?

Yes. Salesforce doesn't require MFA for the following on-premises products:

  • MuleSoft Anypoint Platform On-Premises Edition.

  • On-Premises Tableau Server and Tableau Public. In addition, Tableau Desktop, Tableau Prep, Tableau Content Migration Tool (CMT), and Tableau Resource Monitoring Tool (RMT) are excluded, unless connected to Tableau Cloud.

Back to Top

 

If I have a Salesforce subscription with a partner, does the MFA requirement apply?

If you purchased your Salesforce subscription(s) from a Salesforce reseller or OEM partner, you are still required to enable MFA for your users. You can contact your Salesforce reseller or OEM partner for more information about the MFA requirement.

Back to Top

 

Is MFA required for Environment Hub?

(This topic applies to products built on the Salesforce Platform only.)

MFA is required for any logins to Environment Hub that result in authenticating into a production org.

The MFA requirement doesn’t apply to Developer Edition, Partner Developer Edition, or scratch orgs. So if you’re using Environment Hub to access these types of environments, MFA isn’t required.

Back to Top

 

Can we turn on MFA for privileged users only?

To satisfy the MFA requirement, all internal users who log in to your Salesforce products (including partner solutions) through the user interface must use MFA. MFA for admins and privileged users is your top priority because these types of users have the types of permissions that make their accounts desirable targets. There's higher risk if an attacker gets access to these types of accounts.

Back to Top

 

Do we have to use the same MFA solution for all our Salesforce users?

The crux of the MFA requirement is that all of your Salesforce users must provide a strong verification method in addition to their password when they access Salesforce products. If needed, you can accomplish this by deploying multiple MFA solutions. For example, if you have a mix of SSO and non-SSO users, ensure that MFA is enabled for your SSO implementation in addition to using your Salesforce product’s MFA functionality for users who log in directly.

Back to Top

 

MFA for Direct Logins to Salesforce Products

 

Which Salesforce products support MFA?

MFA functionality is included in these Salesforce products:

  • All products built on the Salesforce Platform, including: Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud, Experience Cloud, Industries products (Consumer Goods Cloud, Education Cloud, Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Nonprofit Cloud, Philanthropy Cloud), Marketing Cloud Audience Studio (formerly DMP), Marketing Cloud Account Engagement (powered by Pardot), Platform, Salesforce Essentials, Salesforce Field Service, and partner solutions

  • B2C Commerce Cloud

  • Heroku

  • Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)

  • Marketing Cloud Intelligence (powered by Datorama)

  • Marketing Cloud Social

  • MuleSoft Anypoint Platform

  • Quip products

  • Tableau Cloud

To learn more about MFA for these products, see the Salesforce MFA customer site.

Back to Top

 

How can we exclude MFA-exempt use cases when MFA is turned on?

As documented in this FAQ, there are some use cases where MFA isn't required, such as automated testing and RPA accounts, system integration login types via the API, Developer Edition and scratch orgs, and so forth. Most of these cases are automatically excluded from needing to use MFA. But depending on your products, a few use cases require some action on your part to be excluded.

Products built on the Salesforce Platform
Refer to this topic in Salesforce Help to see the list of MFA-exempt use cases that must be manually excluded from requiring MFA and to learn how to take this action.

B2C Commerce Cloud
If any of the following apply to your implementation, take the following steps before MFA is turned on for your tenant.


Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
Marketing Cloud Intelligence (powered by Datorama)
If you’re planning to use a combination of trusted devices and trusted networks to satisfy the MFA requirement, contact your Salesforce representative.

MuleSoft Anypoint Platform
Refer to this topic in MuleSoft Documentation to see the list of MFA-exempt use cases that must be manually excluded from requiring MFA and to learn how to take this action.

Tableau Cloud
Contact your Tableau account team if any of the following apply to your site:

  • You make Tableau Cloud visualizations available for consumers outside your immediate company or you have external users who can access content in your Tableau Cloud site in a manner as permitted in our user guide.

  • You use a combination of trusted devices and trusted networks to satisfy the MFA requirement.

See also:

Back to Top

 

Is Lightning Login a form of MFA?

Yes, you can use Lightning Login to satisfy the MFA requirement for products built on the Salesforce Platform. This feature gives users an enhanced MFA experience, with fast, secure, password-free access to their Salesforce accounts. Lightning Login meets the MFA standard by requiring two authentication factors: Salesforce Authenticator (something a user has) and a PIN or biometric scan on their mobile device (something the user is). See Enable Lightning Logins for Password-Free Logins in Salesforce Help for more information.

Back to Top

 

Can we use a third-party MFA solution?

If your company is already using an MFA solution like Okta™ or Duo™, we recommend integrating your Salesforce products with that system instead of using a Salesforce product's MFA functionality. Integrating with an existing solution can minimize friction and change management needs because your users are already familiar with your existing system.

Alternatively, if your company has an existing single sign-on (SSO) implementation that requires MFA, see if you can integrate your Salesforce products with that system. But keep in mind that all of your Salesforce users must use MFA. If you have any users (such as Salesforce admins) who log in directly to your products, ensure they're using the MFA functionality provided by Salesforce.

Back to Top

 

What is Device Activation and how is it related to MFA?

Some Salesforce products include a feature called Device Activation, or Identity Verification. This functionality is sometimes confused with MFA.

Device Activation requires users to provide an additional authentication factor if they log in from an unrecognized browser or device, or if the user's IP address is outside a trusted IP range. Supported verification methods for this feature include email and SMS text messages, as well as strong methods like Salesforce Authenticator, third-party TOTP authenticator apps, and security keys.

MFA, on the other hand, requires users to supply a strong verification method every time they log in. Email and SMS text messages aren't allowed for MFA logins because of their inherent susceptibility to attack by bad actors, so these options aren't allowed for MFA logins.

Note: For products built on the Salesforce Platform and Marketing Cloud Engagement, when MFA is enabled, Device Activation/Identity Verification is disabled.

Back to Top

 

MFA for SSO Logins to Salesforce Products

 

We use single sign-on (SSO) for Salesforce. Does SSO satisfy the MFA requirement?

On its own, SSO doesn’t satisfy the MFA requirement. With a well-implemented SSO strategy, you can reduce some of the risks associated with weak or reused passwords, and make it easier for your users to log in to frequently used applications. But if your SSO implementation relies on user credentials alone, it leaves user accounts vulnerable to common attacks such as phishing or credential stuffing.

If your Salesforce products are integrated with SSO, ensure that MFA is enabled for all your Salesforce users. You can use your SSO provider’s MFA service. Or, for products that are built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

Note: Keep in mind that all of your Salesforce users must use MFA. If you have any users (such as Salesforce admins) who log in directly to your products, ensure they're using the MFA functionality provided by Salesforce.

See also:

Back to Top

 

Why is Salesforce requiring MFA for SSO?

If your SSO implementation relies on user credentials alone, it leaves user accounts vulnerable to common security attacks such as phishing or credential stuffing. MFA is one of the most effective ways to prevent unauthorized account access. If you don't implement MFA for users who access Salesforce via SSO, you’ll be at increased risk for cyberattacks that could harm your business and customers

We encourage you to work with your Security and IT teams to align the MFA requirement with your company’s overall security objectives, and to get their help on satisfying the requirement.

If you do not implement MFA for users who access Salesforce via SSO, you’ll be at increased risk for cyberattacks that could harm your business and customers.

Back to Top

 

Do we have to use MFA at both the SSO and Salesforce levels?

To satisfy the MFA requirement, make sure all internal users are logging in with MFA.

  • If you have a mix of SSO and non-SSO users, ensure that both your SSO provider’s MFA service and your Salesforce products’ MFA functionality for direct logins is enabled.

  • Even if you don’t have any users who log in to your Salesforce products directly, it’s a good security practice to leave your Salesforce products’ MFA functionality for direct logins enabled. Doing so doesn’t have any effect on SSO logins and ensures full compliance with the MFA requirement in the event an admin or other privileged user needs to access your product(s) directly.

Back to Top

 

How frequently should users provide an MFA verification method when logging in to SSO?

We strongly recommend configuring the MFA service for your SSO identity provider so that users are required to provide a strong verification method in addition to their username and password every time they log in.

See also:

Back to Top

 

How will Salesforce know that we've enabled MFA for our SSO identity provider and that we satisfy the requirement?

If you use a third-party identity provider (IdP) to access your Salesforce products, Salesforce has limited visibility into your MFA implementation. To ensure we have the necessary insight to manage the MFA requirement, we’re planning to leverage standards-based attributes in SSO protocols that describe the authentication method used during an SSO login.

Most SSO providers support two primary attributes: OpenID Connect (OIDC) uses Authentication Method Reference (amr) and SAML uses Authentication Context (AuthnContext). Currently, OIDC amr is available in products built on the Salesforce Platform, and you can see the values in LoginHistory when you export the data. In future releases, we’re looking to expand OIDC amr to other Salesforce products, and add support for SAML AuthnContext to all products.

Back to Top

 

Will Salesforce enable or enforce MFA for SSO?

We won’t take action on your behalf to enable MFA for your SSO identity provider. Nor do we have plans to block access to Salesforce products or trigger MFA challenges if your SSO service doesn’t require MFA. This policy could change in the future.

But remember that the MFA contractual requirement, per the Notices and Licenses Information section of the Salesforce Trust and Compliance Documentation and the applicable Salesforce User Guide, applies to all internal Salesforce users who access your Salesforce products via SSO. If you haven't enabled MFA for SSO logins, see What happens if we don't satisfy the MFA requirement? for more information. And speak with your legal team to understand the implications of being out of compliance.

If you're concerned about satisfying the requirement, reach out to your Salesforce representative. We'll work with you to find a solution.

Back to Top

 

Can we use the MFA functionality from Salesforce instead of using our SSO provider's MFA service?

For products that are built on the Salesforce Platform, you can use the MFA functionality provided in Salesforce instead of using your SSO provider’s MFA service. With this approach, users log in via your SSO login page. Then they’re directed to Salesforce, where they’re prompted to provide their MFA verification method to confirm their identity. To learn more, see Use Salesforce MFA for SSO Logins in Salesforce Help.

Note: This option isn't available for other Salesforce products.

Back to Top

 

Can we enable SSO for Salesforce admins? What happens if SSO goes down?

Admins should always be able to log in directly to your Salesforce products using their username and password. We don't recommend enabling SSO for Salesforce admins because they won't be able to log in if there's an outage or other problem with your SSO implementation. For example, if your third-party SSO provider has a sustained outage, admins can use your Salesforce product's standard login page to log in with their username and password, then disable SSO until the problem is resolved. Instead of using SSO for Salesforce admins, we recommend enabling MFA for administrator accounts directly in your Salesforce products.

Back to Top

 

How can we enforce SSO logins for Salesforce users?

If your company uses SSO to access Salesforce, we recommend disabling direct logins for all standard users. Preventing logins with a Salesforce username and password ensures that users can’t bypass your SSO system. Make sure affected users know the URL where they can access your SSO login page. For the steps to do this, see Disable Logins with Salesforce Credentials for SSO Users in Salesforce Help for more information.

Back to Top

 

What should we do if SSO goes down and users need to log in directly to Salesforce products?

If you allow direct logins to Salesforce products as a fallback in the event that your SSO service goes down, ensure that the MFA functionality provided by your Salesforce products is turned on and applied to all affected users. And encourage these users to register a verification method for their Salesforce accounts now so they won’t experience any delays if they have to log in directly. See the Salesforce MFA customer site for links to the MFA help documentation for your product(s).

Back to Top

 

Verification Methods for MFA

 

Which verification methods satisfy the MFA requirement?

Let’s start with verification methods that don’t satisfy the requirement, whether you’re using your SSO identity provider’s MFA services or Salesforce’s MFA for direct logins.


To satisfy the MFA requirement, you must use verification methods that are strongly resistant to cyberattacks (such as phishing and man-in-the-middle attacks). Strong verification methods help provide high assurance that users accessing Salesforce products are who they say they are.

For SSO:
With the exception of the options listed above, use any method that is supported by, or integrated with, your identity provider’s MFA solution.

For Salesforce MFA:
Use any of the methods that are supported by your Salesforce products’ MFA functionality:

  • Salesforce Authenticator mobile app (available on the App Store® or Google Play™)

  • Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator™, Microsoft Authenticator™, or Authy™

  • Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey™ or Google’s Titan™ Security Key

  • Built-in authenticators, such as Touch ID®, Face ID®, or Windows Hello™

Refer to this topic in Salesforce Help to see the benefits and considerations for each method.

For your MFA implementation, choose the method or methods that work best for your business and your users' needs (keeping in mind the guidance in this topic).

Back to Top

 

Can users register multiple verification methods?

Yes. In fact, we encourage users to register multiple verification methods so they have a backup in case they forget or lose their primary method.

If a user sets up several verification methods, they're automatically prompted to provide the most secure method when they log in. Salesforce uses this order of precedence for verification methods when logging in with MFA:

  1. Salesforce Authenticator

  2. Built-in authenticators

  3. Security keys

  4. Third-party time-based one-time passcode (TOTP) authenticator apps

Note: Quip products currently limit users to registering one verification method at a time.

Back to Top

 

Can we use email, SMS, or phone calls as MFA verification methods?

No. One-time passcodes delivered via email, SMS text messages, or phone calls do not satisfy the MFA requirement -- whether you’re using Salesforce MFA for direct logins or your SSO provider’s MFA services. This is because email credentials can be compromised, and text messages and phone calls can be intercepted. It's a lot harder for bad actors to get control of an actual mobile device or physical security key than it is to infiltrate an email account or hack a cell phone number.

Note: If you implement MFA for your customer or partner Experience Cloud sites, external users are able to log in using SMS text messages as a verification method. This option allows you to provide an extra layer of security for your sites while maintaining ease of access for users who don't interact with business-critical data. See this topic in Salesforce Help for full details.

Back to Top

 

Where can I learn more about MFA verification methods supported by Salesforce?

See this topic in Salesforce Help.

Back to Top

 

Can we use desktop or browser-based TOTP authenticators?

As a best practice, we recommend using mobile authenticator apps, physical security keys, or built-in authenticators because these types of verification methods exist separately from a user's laptop or workstation. This way, if a bad actor manages to gain access to a user's computer, the user's second factor isn't also compromised.

That said, if a TOTP desktop authenticator app, browser extension, or a password manager tool that supports TOTP is the only option that works for your users, you can satisfy the MFA requirement with these types of methods.

Note: Use of the Synebo Chrome extension for logins to Salesforce environments does not comply with the MFA requirement.

See also:

Back to Top

 

Does Salesforce support TOTP codes generated by a password manager?

As a best practice, we recommend using verification methods like a mobile app or a physical security key because they exist separately from a user's laptop or workstation. This way, if a bad actor manages to gain access to a user's computer, the user's second factor isn't also compromised. Many password managers allow users to generate time-based one-time passwords (TOTP) for MFA authentication. We recommend using this capability only from password managers that are accessed from mobile devices, or if the password manager itself has MFA protection (for example, using biometric authentication).

Back to Top

 

None of the supported MFA verification methods work for my company. How can we satisfy the MFA requirement?

We understand that some customers may have challenges implementing MFA. We're here to help you find a path to MFA to avoid security and compliance implications for your organization. If you're concerned that you can't satisfy the requirement, reach out to your Salesforce representative and we'll work with you to find a solution.

Back to Top

 

Our users don't have mobile devices. Can we still use MFA?

Yes, Salesforce products support MFA verification methods that don’t require the use of an authenticator app and a mobile device. We recommend physical security keys or built-in authenticators.

If these options don’t work because of budget constraints or hardware limitations, you can also satisfy the requirement using TOTP desktop authenticator apps or browser extensions.

See also:

Back to Top

 

Is a data connection needed to use a mobile authenticator app? If a user loses their connectivity, can they log in?

The Salesforce Authenticator mobile app requires a data connection to authenticate via push notifications or location-based automated verification. If a user's mobile device is offline, however, users can still authenticate using one of the unique, time-based one-time password (TOTP) codes that the app continually generates. Similarly, third-party TOTP authenticator apps work if a device doesn't have a connection.

Back to Top

 

Be Prepared for MFA

 

How are my users affected when MFA is turned on?

When MFA is enabled for user interface logins, each user must have at least one registered verification method before they can log in. The registration process connects a method to the user's Salesforce account. Users can register methods at any time. If a user doesn't have a method ready by the time MFA is enabled, they're automatically prompted to register one the next time they log in. On-screen prompts guide users through the process.

For all subsequent logins, the login process prompts users to supply a registered method in addition to their username and password.

See this short video for an overview of how MFA affects the login experience.

Back to Top

 

How do I prepare my users for MFA?

Check out Prepare Your Users for Multi-Factor Authentication in Salesforce Help for ideas and best practices. And download the Multi-Factor Authentication Rollout Pack to get customizable change management and onboarding templates.

Back to Top

 

How frequently must users provide a verification method when logging in directly to Salesforce products?

If you’re using Salesforce's MFA functionality, users must respond to an MFA challenge each time they log in to a Salesforce product. This applies to all logins, including those due to inactivity and expired sessions. The frequency of MFA challenges can’t be modified.

Back to Top

 

Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?

To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product. To reduce friction for users, we recommend using Salesforce Authenticator. The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations. Users can set this option for themselves. See Automate Multi-Factor Authentication with Salesforce Authenticator in Salesforce Help for details.

In addition, Salesforce Authenticator can automatically trust a location after a user authenticates from the same place three times. To set up this option, see Let Salesforce Authenticator Intelligently Save Your Trusted Locations.

Back to Top

 

What should users do if they need to replace a verification method or their method stops working?

(This topic applies to products built on the Salesforce Platform only.)

Over time, it’s inevitable that users will swap their mobile phones and computers for newer models. If someone was using their old device to run an authenticator app or built-in authenticator for MFA, they’ll need to switch their verification method to their new hardware. Similarly, a user may wind up replacing their physical security key with a new one. In these situations, start by disconnecting the user’s existing verification method so the user can register its replacement. If a user reports that their verification method has stopped working when they try to log in, reset the method by disconnecting it then have the user re-register it for MFA.

See the Salesforce MFA customer site for product-specific guidance. And check out How can users recover access if they forget or lose their verification method? to quickly restore user access.

Back to Top

How can users recover access if they forget or lose their verification method?

Your options for assisting users if they forget or lose their usual verification methods depend on your Salesforce product.

Note: If you’re the only admin for your product and you get locked out, contact Salesforce Customer Support.

Admin-Generated Temporary Verification Codes
For some products, admins can generate temporary codes that allow users to log in without a verification method. Follow the steps for:

User-Generated Recovery Codes
For these products, users can generate a list of ten single-use recovery codes that they can keep in a safe place until needed. These codes should be used only as a backup method when a user’s regular verification method isn’t available. Follow the steps for:

Reset MFA
For MuleSoft Anypoint Platform, admins can reset MFA for a user who has lost or forgotten their verification methods. The user is then prompted to register a new method the next time they log in.

Back to Top

 

How can we prevent admins from getting locked out after MFA is enabled?

Make sure your access recovery plan includes steps to help you and your fellow admins if you lose access to your regular verification method(s). Consider these best practices:

  • Each admin should register at least two verification methods.

  • Keep a backup security key in a secure place at work.

  • Establish at least two accounts that have permissions to manage users and MFA settings. This way, if one account is locked out, you can use the other account to restore access.

Back to Top

 

Some of our users share a single Salesforce account. How does MFA work in this situation?

Salesforce prohibits sharing user credentials with multiple users. This practice is incompatible with MFA because each user must register and connect a unique verification method to their Salesforce account before they can log in. If multiple users are sharing a single account, only one person will be able to log in to that account after MFA is enabled.

Resolve any shared accounts or credentials that are in use. Make sure you have enough licenses to set up separate accounts for each person who needs to access your Salesforce products. If you need help setting up unique user accounts, contact your Account Executive or Sales team. Or refer to Salesforce Checkout and Self Service to Manage Your Account.

Back to Top

 

How does MFA work in sandbox environments?

(This topic applies to products built on the Salesforce Platform only.)

To help develop a strategy for managing MFA for your sandbox environments, review the considerations in Multi-Factor Authentication Sandbox Setup Considerations in Salesforce Help.

See also:

Back to Top

 

MFA Requirement Guidance for Salesforce Partners / Service Providers

 

Is MFA required when Salesforce service providers use customer-provided licenses to access customer orgs for performing administrative services?

Yes. See May customers assign a single license to their Salesforce service provider, where the license will be shared by multiple service provider users? for more information.

Back to Top

 

May customers assign a single license to their Salesforce service provider, where the license will be shared by multiple service provider users?

Yes, but only for so long as the following criteria are met and subject to the following additional terms: (i) all such users must be personnel of a Salesforce service provider using such subscriptions solely for the purpose of providing support or other services to the Customer in connection with the Customer’s use of the Services in such Customer’s Org, (ii) all such users must use a privileged account management tool, or an enterprise password management solution, in connection with the foregoing use that allows for implementation of MFA despite the use of a single subscription by multiple service provider users, and that provides for the ability to restrict access permissions to authorized users only, using techniques such as role based access control and least-privilege, and (iii) Customer remains responsible for such users’ use of these subscriptions.

Salesforce reserves the right at any time to change the criteria for the foregoing use case or to discontinue this permitted use entirely.

For detailed guidance on how to satisfy the MFA requirement for this situation, see the How to Satisfy the MFA Requirement for the Partner Admin Shared Login Use Case knowledge article.

Back to Top

 

We use Platform user licenses for Communities. How does the MFA requirement apply to this use case?

MFA is not required for external users who can only access your company's Experience Cloud sites, such as employee communities. For products built on the Salesforce Platform, an external user is anyone who has a Community, Employee Community, or External Identity license.

If your partner solution has built a community for external users but is using a Platform license rather than Experience Cloud, please submit a support case following these instructions:

  1. In Salesforce Help, open a case under Salesforce Partner Program Support.

  2. File the case under Partner Programs & Benefits, and list the topic as ISV Technology Request.

Back to Top

 

How does the MFA requirement affect the use of subscriber console?

  • MFA is required when logging into the License Management Org (LMO) — see Require Multi-Factor Authentication for Logins to Subscriber Orgs in the Salesforce Release Notes for full details. And for information about MFA and Log In As, see this release note.

  • Partners will need to set up MFA in their License Management Org (LMO) to access the Subscriber Support Console feature. Note that the previous method of using the release task to test High Assurance setup is no longer available. Partners using MFA permission sets can now use Reports & Dashboards to test if their High Assurance setup is configured correctly. To confirm that an MFA permission set user account has a High Assurance session, follow these steps.

Back to Top

 

 

Learn More

 

Where can I learn more about MFA for our Salesforce products?

We're committed to helping you succeed with MFA. We have a variety of resources to help you get more comfortable with MFA and learn how to manage it for your product(s).

Back to Top

 

Where can I go if I have questions about MFA or the MFA requirement?

If you have more questions or need help, visit the MFA - Getting Started Trailblazer Community. You can post your questions to Salesforce security experts and other Trailblazer admins who are working on implementing MFA.

For Salesforce partners and service providers, join us on the trail in the Partner Community.

Back to Top

 

Revision History

 

Date

Revisions

May 28, 2024

2021 - 2024

  • The revision history for this article has been archived.


 

Knowledge Article Number

000396727

 
Loading
Salesforce Help | Article