Check That Your Implementation Satisfies the MFA Requirement

Astro holding shield icon in the forest

Want to make sure you're satisfying the contractual requirement to use multi-factor authentication (MFA) when logging in to your Salesforce products? Use this page to see if you're good to go. If you're not quite there yet, we provide next steps so you can achieve compliance. The complete terms of the requirement are defined in the Notices and Licenses Information (NLI) for your product(s), on the Salesforce Trust and Compliance Documentation.

MFA Requirement Checker

To see if your current or planned implementation satisfies the MFA requirement, answer a few questions...

  • Question 1: How do your users access your Salesforce products?

    By logging in to an SSO site Go to Question 2
    By logging in directly with their Salesforce username and password Go to Question 3


    Note: If your users are allowed to access Salesforce products through SSO as well as by logging in directly, we recommend
    changing your configuration so users can't bypass your SSO system. Otherwise, you need to enable MFA for both SSO and direct logins, so go to Questions 2 and 3.xxx

  • Question 2: Do your Salesforce users log in to an SSO site by entering a username and password, followed by a strong verification method?

    Your answer What it means
    Yes

    Awesome! Based on your answers, you satisfy the MFA requirement because you're using SSO and MFA with strong verification methods to access Salesforce products.

    Note: If your users aren't prompted for a verification method on every login because you've implemented a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system, your implementation satisfies the MFA requirement.

    You can skip the remaining questions.

    No

    Your Salesforce users must receive an MFA challenge when they log in to your SSO site and they must verify their identity with a strong verification method. One-time passcodes via email, text messages, and voice calls aren't acceptable. To satisfy the MFA requirement, consider these options:

    • Talk to your SSO provider about using their MFA service.
    • Integrate a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system with your SSO solution.
    • For products built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

    Note: If you're using trusted corporate devices with certificates or trusted networks (via VPN, Zero Trust Network Access, IP allowlists, trusted IP ranges, or login IP ranges, for example) for SSO access, go to Question 4.

  • Question 3: Do your users log in directly to the user interface for your Salesforce products by entering a username and password, followed by a supported verification method that they must provide on every login?

    Your answer What it means
    Yes

    Excellent! Based on your answers, you satisfy the MFA requirement because you're using Salesforce MFA for every login.

    You can skip the remaining questions.

    No

    If a supported verification method is required only when users log in from new browsers or devices, you're using Device Activation or Identity Verification instead of MFA. That's good, but it doesn't satisfy the MFA requirement. You need to turn on MFA for your Salesforce products.

    If users are never prompted for a verification method after they enter their username and password, you also need to turn on MFA.

    See the "MFA Help for Your Salesforce Products" section on the MFA for Salesforce customer site.

    Note: If your Salesforce product doesn't prompt users for a verification method because you're controlling direct logins using trusted devices with certificates or trusted networks (via VPN, Zero Trust Network Access, IP allowlists, trusted IP ranges, or login IP ranges), go to Question 4.

  • Question 4: Are you using trusted corporate devices or trusted networks to grant access to Salesforce products?

    Your answer What it means
    Yes

    When corporate devices with certificates or corporate (trusted) networks are used on their own, they don't satisfy the MFA requirement.

    If you use either of these mechanisms to control SSO access or direct Salesforce logins, you should turn on MFA for your SSO identity provider or your Salesforce products. But if that's not feasible, you can satisfy the MFA requirement by using trusted devices with certificates in combination with a trusted corporate network. See "Do trusted corporate devices meet the MFA requirement," "Does restricting logins to trusted networks meet the MFA requirement," and "Does using VPN or Zero Trust Network Access satisfy the MFA requirement" in the MFA FAQ for more details.

    No

    Hmmm, we've run out of options. Try starting over and re-evaluating the questions. If you're still not getting an answer about whether you satisfy the MFA requirement, contact your Salesforce representative for help.

What Should I Do With This Information?

Know if you satisfy the MFA requirement or if you have work to do

If the answers you get here indicate that your implementation satisfies the MFA requirement, congratulations! 

Otherwise, review the MFA FAQ to understand the full details of the MFA requirement, and use the recommended documentation to implement a solution that complies.

If you have an IT or cybersecurity team, get their guidance.

And you can always take questions to the MFA - Getting Started Trailblazer Community group, where Salesforce security experts are ready to help.

When you determine that you've satisfied the MFA requirement, you don't need to certify compliance to Salesforce

Salesforce doesn't require customers to certify compliance with their contractual obligations. In keeping with this practice, Salesforce isn't requiring customers to get formal certification or otherwise attest that they satisfy the MFA requirement.

What to expect if you aren't satisfying the MFA requirement at this time 

The MFA requirement has been in effect since February 1, 2022. If you're not using MFA for direct logins or SSO access to your products, see "What happens if we don't satisfy the MFA requirement?" in the MFA FAQ.