Prepare for the upcoming Step-up Authentication requirements on Report Actions

To continue with the report action, users must successfully complete the step-up Multi-Factor Authentication (MFA) challenge presented to them.

Before Enforcement: How to Prepare

• Review User Configuration: Review the new step-up authentication policy when available in June. On the Identity Verification page, under Session Security Level Policies, find Reports and Dashboards. To use the new policy, select “Require periodic step-up authentication”. For the Step-Up Authentication Period (Minutes)  field, adjust the value within the Salesforce-defined threshold if needed.

• Ensure Verification Methods: To ensure a smooth transition, confirm that all users, particularly those who use SSO, have configured at least one of these verification methods: a supported MFA verification method registered with Salesforce, a current email address, or an SMS mobile phone registered to their login. Users who can’t receive email or SMS must register a Salesforce verification method, update their phone number, or provide a reachable email address. In-app prompts for users without verification methods are available on a rolling basis starting in May 2026.

After Enforcement: Resolve Errors

If a user is blocked from viewing or running a report, take these remediation steps.

1. Failing the Step-up Authentication Challenge: Instruct the user to attempt the challenge again with a registered and supported MFA or identity verification method.

2. MFA Service Unavailability: The framework operates on a "Fail-Closed" security posture, blocking report execution if the MFA service is unavailable. If this occurs, contact Salesforce Customer Support.

Common Questions

Does logging in with MFA reset the step-up timer? 

No. MFA at login doesn’t reset the timer for the step-up authentication on sensitive actions like sensitive Report Actions. Users are challenged again even if they recently logged in with MFA.

Which verification methods are supported for the step-up challenge? 

All standard Salesforce MFA verification methods are supported, including Passkeys (biometrics and Security Keys), Salesforce Authenticator, and TOTP Apps. SSO users without a registered Salesforce MFA method are challenged via email or SMS One-Time Password (OTP).

Do Trusted IP Ranges or corporate networks grant an exemption? 

No. Step-up authentication for sensitive Report Actions is required even when the user is logged in to Salesforce on a "trusted IP" or "corporate network."

Can an admin adjust the frequency of the challenge? 

Yes. Admins can adjust the re-authentication cadence. However, they can’t set a value outside the valid range defined by Salesforce.

What happens if users have no MFA method enrolled and try to export a report?

If a user has no MFA method enrolled, Salesforce will send a one-time passcode (OTP) to the phone number or email address associated with their account. Since every Salesforce user is required to have an email on file, this serves as the fallback verification method.

To ensure a smooth experience:

• Confirm the user's phone number and/or email address is valid and accessible

• If the OTP email isn't received, ask the user to verify their phone number and/or email address in their profile

• For a more reliable experience going forward, users should register an MFA verifier in Salesforce (such as an authenticator app, security key, or built-in authenticator) . Note for SSO users: SSO-authenticated users may not have an MFA verifier registered directly in Salesforce, making the email OTP fallback especially relevant for this group.

Can the step-up challenge be fulfilled by the SSO IdP, or must it always be a Salesforce-native method?

Step-up authentication must be completed using a Salesforce-native verifier, it cannot be delegated to an external SSO identity provider (IdP). Even if a user authenticates into Salesforce via SSO, they are still required to satisfy the step-up challenge using one of the following:

• A Salesforce-registered MFA method (such as Salesforce Authenticator, a TOTP authenticator app, a security key, or a built-in authenticator like Face ID or Touch ID)

• A one-time passcode (OTP) delivered via email or SMS to the contact information associated with their account

This means SSO users who do not have a Salesforce-native verifier registered will fall back to email or SMS OTP to complete the step-up challenge.

Are scheduled or subscribed reports affected by step-up authentication? * 

Automated report delivery, whether scheduled or subscribed, is not affected by step-up authentication. Since these run in a background context with no active user session, the step-up challenge is bypassed entirely.

However, if a user clicks the link in a subscription notification email to open the report directly in Salesforce, step-up authentication will be triggered at that point, since the user is now interacting with the report in an active session.

Are embedded reports and dashboards affected by step-up authentication?

Embedded reports and dashboards, such as those placed in a Lightning App Builder page, are not subject to step-up authentication. These components are exempted from the step-up session-level policy check, so users will not be prompted for a step-up challenge when viewing embedded content in Lightning pages.

Does step-up authentication apply to Experience Cloud or Partner Community users? *

• External Experience Cloud users (customers, partners, and community members accessing Salesforce through an Experience Cloud site) are fully exempt from step-up authentication. Step-up will not be triggered for these sessions.
• Internal Salesforce users (employees) logging into an Experience Cloud site are not exempt. If an internal user attempts to access a report through an Experience Cloud site, they will be blocked. Internal users who need to access reports should do so through their internal Salesforce org, where they can complete the step-up challenge normally.
  
  

Does step-up authentication apply when an administrator uses "Login As" to access a user's account? *

No. When an administrator uses the "Login As" feature to access Salesforce as another user, step-up authentication is not triggered. "Login As" sessions are fully exempted from the step-up requirement.

Does step-up authentication apply to API access to reports and dashboards?

No. Step-up authentication does not apply to non-interactive API sessions. All API-based access to reports and dashboards (including integrations, connected apps, and programmatic data retrieval) is fully exempt from the step-up requirement. Only interactive UI sessions trigger the step-up challenge.

Does step-up apply when running SOQL queries in Developer Console or Workbench? *

No. SOQL queries executed in Developer Console and Workbench are exempt from step-up authentication. 

Does step-up authentication apply to Salesforce Mobile App users accessing reports and dashboards? *

No. Users accessing reports and dashboards via the Salesforce Mobile App are exempt from step-up authentication. The step-up challenge will not be triggered for mobile sessions.

Does step-up authentication apply to Developer Edition, trial, scratch, or other non-paid orgs? *

No. Step-up authentication enforcement is scoped to paid Production and Sandbox orgs only. Developer Edition orgs, trial orgs, scratch orgs, and other non-paid org types are not subject to enforcement.

* Note: Bugs have been reported for this behavior and fixes are targeted for patch releases in Summer '26.

Change Log