How to Set Up Multi-Factor Authentication (MFA) Verification Methods in Sales and Service with Salesforce

Learn how to set up Multi-Factor Authentication (MFA) verification methods in Agentforce Sales (formerly Sales Cloud) and Agentforce Service (formerly Service Cloud). Salesforce requires MFA for all users accessing Salesforce products. Before logging in for the first time after MFA is enabled in your org, each user must register at least one verification method. Supported methods include the Salesforce Authenticator mobile app, built-in device authenticators (such as Face ID or Windows Hello), FIDO2-compliant security keys, and third-party one-time password (OTP) generator apps such as Google Authenticator or Authy.

Available Editions:

Sales and Service — Professional, Enterprise, Unlimited, and Developer

Prerequisites:

Prepare the MFA verification method you intend to use before beginning setup. If using a third-party OTP generator app (such as Google Authenticator or Authy), install it on your mobile device in advance. If using a security key, have it physically available.

To complete MFA setup, follow the steps below for your chosen verification method. If your organization uses Salesforce Authenticator, start with the first section. For all other methods — including built-in authenticators, security keys, and third-party OTP apps — follow the steps in the second section. Note: Depending on your organization's settings, the screen for the highest-priority verification method enabled in your org may appear directly. To use a different method, click [Choose Another Verification Method] at the bottom of the screen to return to the selection menu.

Using Salesforce Authenticator

The steps below guide you through connecting the Salesforce Authenticator mobile app to your Salesforce account. Follow the linked guide to complete setup using the Salesforce Authenticator app:
How to Set Up Salesforce Authenticator for MFA

Using MFA Verification Methods Other Than Salesforce Authenticator

The steps below walk you through logging in to Salesforce and reaching the verification method selection screen, where you will choose and register your preferred MFA method.

Prepare the MFA verification method you intend to use. If using a one-time password (OTP) generator app, install it on your mobile device.
Log in to Salesforce using your username and password in a desktop browser. You will be directed past the standard login screen and prompted to set up a verification method before accessing your org.
When the "Choose a Verification Method" screen appears, follow the steps below based on your chosen method.

Using a Built-In Authenticator

The steps below register a built-in biometric or device authenticator (such as Face ID, Touch ID, Windows Hello, or a device PIN) as your MFA verification method.

3-1. Select [Use a built-in authenticator on your device] and click [Continue].
Note: If this option does not appear, please contact your System Administrator.
3-2. On the "Register a Built-In Authenticator" screen, click [Register].
3-3. When prompted by your browser, enter the identifier you previously configured for your built-in authenticator (such as fingerprint, facial recognition, PIN, or password).
3-4. Assign a name to the built-in authenticator and save it.

Using a Security Key

The steps below register a physical FIDO2-compliant security key (such as a YubiKey) as your MFA verification method. Have your security key physically available before starting.

3-1. Select [Use a Universal Second Factor (U2F) or WebAuthn (FIDO2) key] and click [Continue].
Note: If this option does not appear, please contact your System Administrator.
3-2. On the "Register a Security Key" screen, click [Register].
3-3. When prompted, insert your security key into the appropriate port on your computer or mobile device. If the key has a button, press it.
Note: While security keys are not biometric devices, some require a physical touch to activate the device.
3-4. Once registration is successful, click [Continue] to dismiss the confirmation message.

Using a Third-Party Authenticator App

The steps below connect a third-party OTP generator app (such as Google Authenticator or Authy) to your Salesforce account by scanning a QR code. Ensure the app is installed on your mobile device before starting.

3-1. Select [Use verification codes from an authenticator app (such as Google Authenticator or Authy)] and click [Continue].
3-2. When the QR code appears on the "Connect an Authenticator App" screen, open the third-party authenticator app on your mobile device and scan the QR code.
Note: If your app cannot scan QR codes, click [I Can't Scan the QR Code] at the bottom of the screen and manually enter the string displayed in the "Key" field into your app.
3-3. Enter the 6-digit verification code displayed in your app into the "Verification Code" field on the "Connect an Authenticator App" screen, then click [Connect].