Loading

Prepare for the upcoming Step-up Authentication requirements on Report Actions

Veröffentlichungsdatum: May 5, 2026
Beschreibung

Salesforce is strengthening its 'secure-by-default' architecture by implementing a new, mandatory time-based step-up Multi-factor Authentication (MFA) framework to enhance data protection against unauthorized data exfiltration, starting with Report Export. This control requires users to complete an additional step-up challenge when performing a sensitive action, such as running or viewing a report, if a configurable amount of time has passed since their last step-up challenge.

For more info on the roadmap of upcoming targeted Security changes for the Salesforce Platform, see: Security-Related Product Updates to the Salesforce Platform.

What's Changing

Salesforce is implementing a new, mandatory time-based step-up authentication framework. Here are some of the key changes.

  • Report Export Security: Salesforce applies the control to Report Export first. Users will be challenged to perform a step-up MFA if a configurable time (for example, 2 hours) has passed since their last challenge for reports.

  • Configurable Cool-Down Period: On the Identity Verification page, admins can configure the “Require step-up authentication within cool-down period”' session-level policy for Reports and Dashboards to adjust the re-authentication cadence between 2 and 120 minutes. The default is 120 minutes. 

  • Trigger Action: The step-up challenge is triggered when a user runs or views a report, rather than waiting for them to click a "Download" or "Export" button. This broader criteria for additional verification helps to mitigate data theft via UI-based screen scraping or browser-based data capture.

  • MFA at Login vs. Step-up: Users must pass the step-up challenge even if they recently logged in with MFA.

  • Default-On Enforcement: The framework is enforced by default.

  • SSO User Handling: The framework is mandatory for all users, including those with Federated Single Sign-On (SSO). SSO users without Salesforce MFA registered are challenged via email or SMS OTP.

  • No Network Exemption: Step-up authentication for Report Exports is required even when the user is logged in to Salesforce on a trusted IP or corporate network.

Why Is Salesforce Making This Change

In response to evolving cybersecurity threats, we’re enhancing security and data protection. Report Export is considered a high-risk vector for data exfiltration. The step-up authentication framework provides these benefits.

  • Prevents Data Exfiltration: Step-up authentication is designed to preemptively slow or block potentially malicious data exfiltration.

  • Establishes High Assurance: Step-up authentication supports a new model of High Assurance. Report views and report export actions always require additional or stronger authentication challenges, even after a user has logged in with MFA.

When Does This Change Take Effect

  • Available in Sandboxes: Starting May 27, 2026, staggered over approximately 7 days

  • Available in Production: Starting May 27, 2026,  staggered over approximately 15 days

  • Enforced in Sandboxes: Starting June 3, 2026, staggered over approximately 7 days

  • Enforced in Production: Starting June 10, 2026, staggered over approximately 20 days

Who's Affected

  • All Salesforce Users: This control is mandatory for all users accessing Salesforce reports, regardless of whether they use Direct Login or Federated Single Sign-On (SSO).

  • Salesforce Admins: This control applies to Salesforce admins who access reports. Also, admins can configure the re-authentication time window.

What to Expect

  • Step-up Challenge Prompt: Users will encounter an additional step-up authentication challenge when they attempt to run or view a report, provided the configurable cool-down period has passed since their last challenge.

  • Supported Verification Methods: To complete the challenge, users can use any MFA verification method that Salesforce supports, including Passkeys, Security Keys, Salesforce Authenticator, or Time-based One-Time Password (TOTP) Apps.

  • Platform Users: Users without a registered MFA method will be challenged via a SMS One-Time Password (OTP) or email. Users without a reachable email address must register a Salesforce verification method, update their phone number, or provide a reachable email address.

  • Report Blocking: If the MFA service is unavailable or if the challenge fails, the report execution will be blocked to protect sensitive data.

Lösung

To continue with the report action, users must successfully complete the step-up Multi-Factor Authentication (MFA) challenge presented to them.

Before Enforcement: How to Prepare

  • Review User Configuration: Review the new step-up authentication policy when available in June. On the Identity Verification page, under Session Security Level Policies, find Reports and Dashboards. To use the new policy, select “Require step-up authentication within cool-down period”. For the cool-down period field, adjust the value within the Salesforce-defined threshold if needed.

  • Ensure Verification Methods: To ensure a smooth transition, confirm that all users, particularly those who use SSO, have configured at least one of these verification methods: a supported MFA verification method registered with Salesforce, a current email address, or an SMS mobile phone registered to their login. Users who can’t receive email or SMS must register a Salesforce verification method, update their phone number, or provide a reachable email address. In-app prompts for users without verification methods are available on a rolling basis starting in May 2026.

After Enforcement: Resolve Errors

If a user is blocked from viewing or running a report, take these remediation steps.

  1. Failing the Step-up Authentication Challenge: Instruct the user to attempt the challenge again with a registered and supported MFA or identity verification method.

  2. MFA Service Unavailability: The framework operates on a "Fail-Closed" security posture, blocking report execution if the MFA service is unavailable. If this occurs, contact Salesforce Customer Support.

Common Questions

Does logging in with MFA reset the step-up timer? 

No. MFA at login doesn’t reset the timer for the step-up authentication on sensitive actions like report exports. Users are challenged again even if they recently logged in with MFA.

Which verification methods are supported for the step-up challenge? 

All standard Salesforce MFA verification methods are supported, including Passkeys (biometrics and Security Keys), Salesforce Authenticator, and TOTP Apps. SSO users without a registered Salesforce MFA method are challenged via email or SMS One-Time Password (OTP).

Do Trusted IP Ranges or corporate networks grant an exemption? 

No. For Report Exports, Step-up authentication for Report Exports is required even when the user is logged in to Salesforce on a "trusted IP" or "corporate network."

Can an admin adjust the frequency of the challenge? 

Yes. Admins can adjust the re-authentication cadence. However, they can’t set a value outside the valid range defined by Salesforce.



Change Log

Date

Change

May 5, 2026

Initial publication

 

Nummer des Knowledge-Artikels

005321566

 
Laden
Salesforce Help | Article