Check That Your Implementation Satisfies the MFA Requirement

Awesome! Based on your answers, you satisfy the MFA requirement because you're using SSO and MFA with strong verification methods to access Salesforce products.

Note: If your users aren't prompted for a verification method on every login because you've implemented a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system, your implementation satisfies the MFA requirement.

You can skip the remaining questions.

Your Salesforce users must receive an MFA challenge when they log in to your SSO site and they must verify their identity with a strong verification method. One-time passcodes via email, text messages, and voice calls aren't acceptable. To satisfy the MFA requirement, consider these options:

• Talk to your SSO provider about using their MFA service.
• Integrate a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system with your SSO solution.
• For products built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

Note: If you're using trusted corporate devices with certificates or trusted networks (via VPN, Zero Trust Network Access, IP allowlists, trusted IP ranges, or login IP ranges, for example) for SSO access, go to Question 4.

Excellent! Based on your answers, you satisfy the MFA requirement because you're using Salesforce MFA for every login.

You can skip the remaining questions.

If a supported verification method is required only when users log in from new browsers or devices, you're using Device Activation or Identity Verification instead of MFA. That's good, but it doesn't satisfy the MFA requirement. You need to turn on MFA for your Salesforce products.

If users are never prompted for a verification method after they enter their username and password, you also need to turn on MFA.

See the "MFA Help for Your Salesforce Products" section on the MFA for Salesforce customer site.

Note: If your Salesforce product doesn't prompt users for a verification method because you're controlling direct logins using trusted devices with certificates or trusted networks (via VPN, Zero Trust Network Access, IP allowlists, trusted IP ranges, or login IP ranges), go to Question 4.

When corporate devices with certificates or corporate (trusted) networks are used on their own, they don't satisfy the MFA requirement.

If you use either of these mechanisms to control SSO access or direct Salesforce logins, you should turn on MFA for your SSO identity provider or your Salesforce products. But if that's not feasible, you can satisfy the MFA requirement by using trusted devices with certificates in combination with a trusted corporate network. See "Do trusted corporate devices meet the MFA requirement," "Does restricting logins to trusted networks meet the MFA requirement," and "Does using VPN or Zero Trust Network Access satisfy the MFA requirement" in the MFA FAQ for more details.

Hmmm, we've run out of options. Try starting over and re-evaluating the questions. If you're still not getting an answer about whether you satisfy the MFA requirement, contact your Salesforce representative for help.