Multi-Factor Authentication FAQ for Marketing Cloud Engagement

Effective February 1, 2022, MFA is required for all users who access your Salesforce products. To learn more about this requirement, see the Salesforce Multi-Factor Authentication FAQ.

Note As of Summer ’22, Salesforce has integrated MFA into the Engagement login experience for most tenants and it can’t be disabled. If MFA hasn’t been enforced for your tenant yet, Salesforce strongly recommends that you enable it on your own as soon as possible. See Enable and Require MFA for Marketing Cloud Engagement for more information.

Can I Turn Off MFA?

As of Summer ’22, multi-factor authentication (MFA) is a permanent part of the Engagement login experience and it can't be disabled.

Note

If MFA hasn’t been enforced for your tenant yet, Salesforce strongly recommends that you enable it on your own as soon as possible. See Enable and Require MFA for Marketing Cloud Engagement for more information.

If necessary, you can disable MFA after you turn it on, up until the time that Salesforce enforces MFA for your tenant. To learn more about the requirement to enable MFA, see the Salesforce Multi-Factor Authentication FAQ.

My Tenant Authenticates Using SSO, So How Does MFA Apply?

To satisfy the MFA requirement for your SSO users, ensure that MFA is enabled for your SSO identity provider (IdP). The multi-factor authentication (MFA) feature in Marketing Cloud Engagement doesn't apply to users who log in to their account via SSO.

If you have some users who log in directly to Engagement instead of using SSO, Salesforce has integrated MFA into the Engagement login experience for most tenants and it can’t be disabled. If MFA hasn’t been enforced for your tenant yet, Salesforce strongly recommends that you enable it on your own as soon as possible. See Enable and Require MFA for Marketing Cloud Engagement for more information.

Which MFA Verification Methods Are Supported?

Marketing Cloud Engagement supports three types of multi-factor authentication (MFA) verification methods.

• The Salesforce Authenticator mobile app
• Security keys that support WebAuthn or U2F, such as Yubico’s YubiKey or Google’s Titan Security Key
• Time-based one-time passcode (TOTP) authenticator apps like Google Authenticator, Microsoft Authenticator, and Authy

An Engagement admin can also send a temporary verification code to any users who forget or lose their verification methods.

Can I Register Multiple MFA Verification Methods?

Yes! In fact, we recommend registering at least two methods so you have a backup available if you lose or forget your primary method.

You can register all supported verification methods and use them to log in to Marketing Cloud Engagement. However, you can register only one method per verification method type. For example, you could register a single authenticator app and a single security key. At the verification prompt, choose another verification method to verify using an alternate verification method.

Engagement prioritizes registration methods in this order.

(1) Salesforce Authenticator

(2) Security Key

(3) TOTP Generator App

Can I Use Email as an MFA Verification Method?

No, Salesforce doesn't support the use of email as a verification method for multi-factor authentication (MFA).

See Configure MFA Verification for Marketing Cloud Engagement Logins for the methods that are supported.

Does MFA Affect API Integrations?

No, multi-factor authentication (MFA) only affects authentication for users who log in to Marketing Cloud Engagement via their browser or the Engagement mobile app. MFA doesn’t affect REST or SOAP API requests.

Does MFA Affect Identity Verification Setup?

Multi-factor authentication (MFA) automatically replaces the Identity Verification security setting in Marketing Cloud Engagement. As of Summer ’22, MFA is part of the Engagement login experience and can't be turned off. No additional steps are necessary to remove identity verification (IDV) from your account. If you're new to MFA, there are a few differences from IDV to be aware of.

• Engagement doesn’t allow accounts to bypass MFA, even when IP allowlisting is enabled.
• Engagement doesn’t support email or SMS as MFA verification methods.
• When MFA is enabled, it doesn’t apply for users logging in using single sign-on (SSO). To satisfy the MFA requirement if you use SSO, ensure that your SSO provider's MFA service is enabled.

Does MFA Affect Marketing Cloud Connect or Distributed Marketing?

Marketing Cloud Connect and Distributed Marketing require that a user logs in via a browser during initial configuration. This interaction requires multi-factor authentication (MFA). After this setup, these applications keep tokens active via REST API, which doesn’t require additional MFA verification to run any automated process.

We recommend using an API user account for this connection. If the person in charge of maintaining this account leaves your company, we recommend resetting the password and reauthenticating the API user account for a new token. An admin can send the new person in charge of maintaining this account a temporary token for the MFA verification. If you choose to use a specific person’s account to connect Marketing Cloud Connect and that person leaves your company, we recommend using a new account and reauthenticating the connection using a temporary MFA token.

How Does MFA Affect the "Allow machines not on Allowlisted IP Addresses access" Setting?

As of Summer ’22, multi-factor authentication (MFA) is a permanent part of the login experience and it can't be disabled. Note that if your account uses an IP allowlist to restrict logins to specified IP addresses, the "Allow machines not on Allowlisted IP Addresses access" setting is no longer supported. Users won't be able to log in if they try to access Engagement from an IP address that's outside the allowlist.

To resolve this issue if the "Allow machines not on Allowlisted IP Addresses access" setting is selected for your account, update the IP allowlist to include all the IP ranges that users are logging in from. You can specify a wider range of addresses that apply only to user interface logins if you want to keep a more limited range for API interactions.

How Does MFA Impact the Mobile App?

Multi-factor authentication (MFA) applies to logins through the Mobile App, the same as other logins outside the mobile app. We recommend that users register MFA verification methods through a web application login.

Are MFA Events Logged?

Yes, multi-factor authentication (MFA) events are logged. In Setup, click Multi-Factor Authentication, and select View MFA Events. Users can review MFA events specific to them. Admins can review MFA events for the entire tenant.

Can I use All Supported Browsers with MFA?

If you’re using security keys for your multi-factor authentication (MFA) implementation, log in to Marketing Cloud Engagement from a browser that’s compatible with the WebAuthn or U2F standards. WebAuthn is supported in the latest versions of Chrome, Firefox, Microsoft Edge, and Safari. U2F is supported in the latest version of Chrome only. MFA doesn’t support the legacy (non-Chromium) version of Microsoft Edge.