This article outlines updates to MFA registration and login behavior following the enforcement of MFA for All Employee Users and Phishing-Resistant MFA for Privileged Users. Key updates include a new passkey-first registration experience and details on system behavior for orgs granted temporary MFA or phishing-resistant MFA extensions by Salesforce.
Please review closely the intended behavior of the MFA Passkey Prompts as users may misunderstand why they are seeing the prompts after enforcement takes effect, particularly when extensions may have been applied.
It is important to note a key update to the login experience for all users: passkey registration is now prompted by default for ALL users upon login. Refer to the following Release Note for reference.
If a user attempts to log in without having an MFA method registered, the system displays a prompt to “Create a Passkey”. Depending on the user type determined from their assigned privileges, they may also see an option to select Another Verification Method located immediately below the primary Create Passkey button..
User types are defined by their assigned privileged as follows:
Privileged Users (Including Administrators): Any user assigned to at least one of these privileged administrative permissions:
System Administrator profile (or custom profile cloned from it) OR
Modify All Data (MAD) permission OR
View All Data (VAD) permission OR
Customize Application permission OR
Author Apex permission
Non-Privileged User: Any user who does not have any of the following: System Administrator profile (or custom profile cloned), Modify All Data, View All Data, Customize Application, or Author Apex.
See below for the user login flow based on the user type:
Non-Privileged User:These users are permitted to either Create a Passkey or Choose Another Verification Method. Opting for an alternative method redirects them to a secondary screen where they can select either Salesforce Authenticator or a One-Time Password App) - refer to Step 2 below. Extensions:
CRITICAL NOTE:
|
Privileged Users (Including Admins):These users are strictly limited to the Create a Passkey selection and cannot choose alternative verification options, as the Choose Another Verification Method feature is omitted. They must follow the prompts to enroll a Passkey [Built-in Authenticators or Security Keys[ to login. Extensions:
CRITICAL NOTE:
|
| Non-Privileged User prompt when no extensions are granted:
| Privileged Users (Including Admins) prompt when no extensions are granted:
|
|
Step 2: If users click Choose Another Verification Method, they will see this screen: | |
|
# |
Use Case |
Customer Org UI Setting |
Salesforce Extensions |
Expected Behavior | ||
|
Org-Wide MFA Setting [in Setup-> Identity Verification] “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” |
MFA For All Employees Extension |
Phishing Resistant MFA (Passkeys) Extension |
Non-Privileged Users |
Privileged Users (Incl. Admins) | ||
|
1 |
Default: No Extensions |
Enabled (via Salesforce Enforcement) |
Not Granted |
Not Granted |
Standard MFA Required |
Phishing Resistant MFA Required |
|
2 |
Phishing Resistant MFA Extension Only |
Enabled (via Salesforce Enforcement) |
Not Granted |
Granted |
Standard MFA Required |
Standard MFA Required |
|
3 |
MFA For All Employees Extension Only & Org-Wide MFA setting Enabled |
Enabled (Admin controlled) |
Granted |
Not Granted |
Standard MFA Required |
Phishing Resistant MFA Required |
|
4 |
MFA For All Employees Extension Only & Org-Wide MFA setting Disabled |
Disabled (Admin controlled) |
Granted |
Not Granted |
No MFA Required |
Phishing Resistant MFA Required |
|
5 |
Both Extensions Granted & Org-Wide MFA setting Enabled |
Enabled (Admin controlled) |
Granted |
Granted |
Standard MFA Required |
Standard MFA Required |
|
6 |
Both Extensions Granted & Org-Wide MFA setting Disabled |
Disabled (Admin controlled) |
Granted |
Granted |
No MFA Required |
No MFA Required |
Note: For the Use Case Details below we refer to the Org-Wide MFA Setting [in Setup-> Identity Verification] “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” as: Org-Wide MFA setting "Require MFA" for brevity.
Configuration
Behavior
Notes
Configuration
Behavior
Notes
Possible Scenario
Orgs that need Standard MFA for admins but cannot deploy Phishing-Resistant MFA yet
Configuration
Behavior
Notes
Possible Scenario
Org has the MFA For All Employees Extension Granted, giving them the option to disable the Org-Wide MFA setting "Require MFA" but chooses to maintain MFA enforcement
Configuration
Behavior
Notes
Possible Scenario
Orgs with SSO-based MFA for Non-Privileged users needing more time, but Phishing-Resistant MFA for Privileged users for direct logins to Salesforce is implemented.
Configuration
Behavior
Notes
Possible Scenario
Org chose MFA enforcement to help validate their implementation of Standard MFA, but cannot deploy Phishing-Resistant MFA for admins yet
Configuration
Behavior
Notes
Possible Scenario Customer needs more time to implement all requirements. This is not recommended as it means no level of MFA is being enforced for both Privileged and Non-Privileged users.
|
Date |
Change |
|
July 13, 2026 | Initial Publication |
005388907

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.