You are here:
Multi-Factor Authentication for Marketing Cloud Engagement
Multi-factor authentication (MFA) enhances your Marketing Cloud Engagement login process by adding another layer of protection against common security threats, including phishing attacks, credential stuffing, and account takeovers. With MFA, a user must provide two factors to prove their identity — their username and password combination plus a supported verification method — before they can log in. Even if a user’s credentials wind up compromised, the additional factor helps prevent unauthorized access.
Starting with Summer ’22, MFA is part of the login experience and can't be turned off. Each time users log in with their Engagement username and password, they must also provide a registered verification method. See Register a Verification Method for details. To learn more about the requirement to use MFA, see the Salesforce MFA FAQ.
If MFA hasn’t been enforced for your tenant yet, Salesforce strongly recommends that you enable it on your own as soon as possible. See Enable and Require MFA for Marketing Cloud Engagement for details.
MFA requires that you add several new IP addresses to your allowlist. Review this list for the correct values.
MFA supports several types of verification methods.
- The Salesforce Authenticator mobile app
- Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey and Google’s Titan Security Key
- Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy
Enterprise accounts allow MFA enablement and settings changes at the top-level account in the tenant. Business units can only view MFA settings in their accounts.
Changes to Your Account with Multi-Factor Authentication
As of Summer ’22, MFA replaces the current Identity Verification feature in Marketing Cloud Engagement. All users (except for SSO users) must authenticate via username, password, and MFA verification method. This setting applies to all users and all physical locations. Previously used Identity Verification allowlists don’t apply to MFA login attempts.
These settings are inactive in Setup when MFA is turned on. The functionality doesn’t impact how MFA functions in your tenant.
- Identity Verification
- Business Unit Identity Verification
- Browser Verification Code Lifetime
- Time a browser can be inactive before requiring verification
- Allow machines not on Allowlisted IP Addresses access
- Don’t require Identity Verification for machines inside the allowlist
- Don’t require Identity Verification for SSO Logins
To learn more about MFA, see these topics.
- Enable and Require MFA for Marketing Cloud Engagement
For most tenants, multi-factor authentication (MFA) is integrated with the Marketing Cloud Engagement login experience and can’t be disabled. If Salesforce hasn’t made MFA mandatory for your tenant yet, you should do so yourself as soon as possible. Follow these steps to transition from Identity Verification (IDV) to multi-factor authentication (MFA). - Configure MFA Verification for Marketing Cloud Engagement Logins
Configure a multi-factor authentication (MFA) method to provide an additional layer of security for your Marketing Cloud Engagement account. MFA is required for all users and can’t be turned off. The first time you log in to your account, you must register an MFA verification method. On all subsequent logins, you must log in using MFA. - Manage Your MFA Verification Methods for Marketing Cloud Engagement
Follow these steps to manage the multi-factor authentication (MFA) verification methods for Marketing Cloud Engagement. - Revoke an MFA Verification Method for Marketing Cloud Engagement
If a user loses their multi-factor authentication (MFA) verification method, a Marketing Cloud Engagement admin can disconnect it for them. Each user account must have one registered method for access. If the user hasn't registered additional methods, they're prompted to set up a new method the next time they log in. - View MFA Events in Marketing Cloud Engagement
You can review a log of all multi-factor authentication (MFA) registration and verification attempts for your account. This log includes enablement and revocation actions and authentication attempts. Marketing Cloud admins can view all events in a tenant. Specific users see only those events related to their account. - Generate a Temporary MFA Verification Code for Marketing Cloud Engagement
A Marketing Cloud Engagement admin can generate a temporary verification code for a user who forgot or lost their multi-factor authentication (MFA) verification method. This code is effective for 24 hours. The user can enter this code multiple times until 24 hours elapses or you revoke the code. - Review MFA Enrollment Status for Marketing Cloud Engagement
Review the multi-factor authentication (MFA) enrollment status of users in your account to see who hasn't registered a verification method yet. - Multi-Factor Authentication FAQ for Marketing Cloud Engagement
Review some answers to common questions about multi-factor authentication (MFA) in Marketing Cloud Engagement.
