Security-Related Product Updates to the Salesforce Platform: User Identity, Data Protection, and Access Controls

This page serves as the ongoing roadmap for critical product changes to the Salesforce Platform that impact your Salesforce Org's security. Our intention is to provide you with the necessary lead time, technical clarity, and architectural guidance to maintain the security of your data as these changes are rolled out. Please note that this roadmap focuses on specific features designed to minimize risk from phishing attacks, data exfiltration, and account takeover attempts; It is evolving and not inclusive of all Salesforce security-related changes.

Find details for each planned change in the table below. 

Not a Salesforce admin? Jump to the next section to see what’s changing for you.

Not a Salesforce admin? Here’s what’s changing for you. 

Starting in June 2026, Salesforce enforces new security requirements that can affect your login and report export experiences. These security changes secure your account and your company’s data against unauthorized access.

Multi-factor authentication (MFA) is required to log in

1. What is MFA? MFA protects access to your Salesforce account during login by requiring two or more pieces of information to prove your identity. The first piece is something you know: your username and password. The second piece is something you have: an MFA verification method that confirms your identity, such as a passkey (built-in authenticator or security key) or a code from an authenticator app on your phone. To learn more about MFA and its security benefits, see What Is Multi-Factor Authentication? 

2. I log in from another site, such as Google, using single sign-on (SSO). How does my experience change? Contact your admin for more information. 

3. I log in with my username and password. How does my experience change? If you don’t have an MFA verification method, Salesforce asks you to register one after you log in. The MFA method that you use depends on your company’s policies. 

4. How can I prepare for this change? Register an MFA verification method. To see what MFA methods you can use, contact your admin.  

Step-up authentication is required for report actions

1. What is step-up authentication? Step-up authentication is an extra identity check for sensitive actions, such as attempts to access your company’s data. With this change, Salesforce requires you to verify your identity to view and export reports. For example, Salesforce asks you to use a passkey to export a report.

2. I log in from another site (SSO) using a non-Salesforce MFA method. Can I use this method for step-up authentication? No. You can use a Salesforce MFA method, or you can receive a verification code via phone or email.

3. How can I prepare for this change? Register an MFA verification method and review your phone number and email address. To understand what MFA methods you can use, contact your admin.