Want to make sure you'll satisfy the Salesforce MFA requirement that goes into effect on February 1, 2022? Use this page to see if you're good to go. If you're not quite there yet, we provide next steps so you can be ready by the deadline. The full contractual requirement is defined in the Salesforce Trust and Compliance Documentation.

MFA Requirement Checker

<spacer text>

To see if your current or planned implementation satisfies the MFA requirement, answer a few questions...

  • Question 1: How do your users access your Salesforce products?

    By logging in to an SSO site Go to Question 2
    By logging in directly Go to Question 3


    Note: If your users are allowed to access Salesforce products through SSO as well as by logging in directly, we recommend
    changing your configuration so users can't bypass your SSO system. Otherwise, you need to enable MFA for both SSO and direct logins, so go to Questions 2 and 3.xxx

  • Question 2: Do your Salesforce users log in to an SSO site by entering a username and password, followed by a strong verification method?

    Your answer What it means
    Yes

    Awesome! Based on your answers, you satisfy the MFA requirement because you're using SSO and MFA with strong verification methods to access Salesforce products.

    Note: If your users aren't prompted for a verification method on every login because you've implemented a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system, your implementation satisfies the MFA requirement.

    You can skip the remaining questions.

    No

    Your Salesforce users must receive an MFA challenge when they log in to your SSO site and they must verify their identity with a strong verification method. One-time passcodes via email, text messages, and voice calls aren't acceptable. To satisfy the MFA requirement:

    • Talk to your SSO provider about using their MFA service.
    • Integrate a Continuous Adaptive Risk and Trust Assessment (CARTA) or risk-based authentication system with your SSO solution.
    • For products built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. See Use Salesforce MFA for SSO Logins in Salesforce Help for details.

    Note: If you're using trusted corporate devices with certificates or trusted networks for SSO access, go to Question 4.

  • Question 3: Do your users log in directly to the user interface for your Salesforce products by entering a username and password, followed by a supported verification method that they must provide on every login?

    Your answer What it means
    Yes

    Excellent! Based on your answers, you satisfy the MFA requirement because you're using Salesforce MFA for every login.

    You can skip the remaining questions.

    No

    If a supported verification method is required only when users log in from new browsers or devices, you're using Device Activation or Identity Verification instead of MFA. That's good, but it doesn't satisfy the MFA requirement. You need to turn on MFA for your Salesforce products.

    If users are never prompted for a verification method after they enter their username and password, you need to turn on MFA for your Salesforce products.

    Note: If your Salesforce product doesn't prompt users for a verification method because you're controlling direct logins using trusted devices with certificates or trusted networks (via IP allowlists, trusted IP ranges, or login IP ranges), go to Question 4.

  • Question 4: Are you using trusted corporate devices or trusted networks to grant access to Salesforce products?

    Your answer What it means
    Yes

    When corporate devices with certificates or corporate (trusted) networks are used on their own, they don't satisfy the MFA requirement.

    If you use either of these mechanisms to control SSO access or direct Salesforce logins, you should turn on MFA for your SSO identity provider or your Salesforce products. But if that's not feasible, using trusted devices with certificates in combination with a trusted corporate network can be an acceptable alternative to traditional MFA and satisfy the MFA requirement. See "Do trusted corporate devices meet the MFA requirement" and "Does restricting logins to trusted networks meet the MFA requirement" in the MFA FAQ for more details.

    No

    Hmmm, we've run out of options. Try starting over and re-evaluating the questions. If you're still not getting an answer about whether you satisfy the MFA requirement, contact your Salesforce representative for help.

What Should I Do With This Information?

Know if you satisfy the MFA requirement or if you have work to do

If the answers you get here indicate that your implementation meets the MFA requirement, you won't be affected when Salesforce begins automatically enabling and enforcing MFA.

Otherwise, review the MFA FAQ to understand the full details of the contractual requirement, and use the recommended documentation to implement a solution that complies.

If you have an IT or cybersecurity team, get their guidance.

And you can always take questions to the MFA - Getting Started Trailblazer Community group, where Salesforce security experts are ready to help.

When you determine that you've satisfied the MFA requirement, you don't need to certify compliance to Salesforce

Salesforce doesn't require customers to certify compliance with their contractual obligations. In keeping with this practice, Salesforce isn't requiring customers to get formal certification or otherwise attest that they satisfy the contractual MFA requirement.

What happens if you can't meet the requirement deadline? 

Here's how Salesforce plans to manage things after the February 1, 2022 deadline.

  • For customers who use SSO: See “How will Salesforce know that we've enabled MFA for our SSO identity provider and that we satisfy the requirement?” and "Will Salesforce enforce MFA for SSO?" in the MFA FAQ.