Multi-Factor Authentication for Salesforce

A simple, effective way to increase protection against unauthorized account access

hero image

As cyberattacks grow more common, passwords no longer provide sufficient safeguards against unauthorized account access. Multi-factor authentication (or MFA) adds an extra layer of protection against threats like phishing attacks, increasing security for your business and your customers. That’s why, effective February 1, 2022, Salesforce requires customers to use MFA when accessing Salesforce products. Use the MFA Requirement Checker to see if your implementation satisfies this requirement.

Be Ready for MFA Auto-Enablement and Enforcement

<h3 style="text-align: center;"><span style="color: #032d60;">MFA Enforcement Roadmap</span></h3>

MFA Enforcement Roadmap

Keep track of when Salesforce will automatically enable and enforce MFA for your Salesforce products.

<h3 style="text-align: center;"><span style="color: #032d60;">Notifications by Product</span></h3>

Notifications by Product

Review the MFA auto-enablement and enforcement email notifications that we've sent to customers.

<h3 style="text-align: center;"><span style="color: #032d60;">Everything You Need to Know</span></h3>

Everything You Need to Know

For products built on the Salesforce Platform -- Learn how we'll enable and enforce MFA in your org and how your users will be affected.

How MFA Works

MFA requires a user to validate their identity with two or more forms of evidence — or factors — when they log in. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession. While there’s a risk that a password may be compromised, it’s highly unlikely that a bad actor can also gain access to a strong verification method like a security key or authentication app.

Salesforce MFA for Direct Logins

Salesforce offers simple, innovative MFA solutions that provide a balance between strong security and user convenience. Salesforce products support several types of strong verification methods to satisfy your business and user requirements.

  • Salesforce Authenticator Mobile App: A fast, frictionless solution that makes MFA verification easy via simple push notifications that integrate into your Salesforce login process. Use this app in your MFA implementation to increase security while driving a better user experience.
  • Third-Party Authenticator Apps: Authenticate with apps that generate temporary codes based on the OATH time-based one-time password (TOTP) algorithm. There are many apps available, including Google AuthenticatorTM, Microsoft AuthenticatorTM, and AuthyTM.
  • Security Keys: These small physical devices are easy to use because there’s nothing to install and no codes to enter. Security keys are a great solution if mobile devices aren’t an option for your users. Salesforce supports USB, Lightning, and NFC keys that support the WebAuthn or U2F standards, including Yubico’s YubiKeyTM and Google’s TitanTM Security Key.
  • Built-In Authenticators: Easy MFA verification using a desktop or mobile device’s built-in authenticator service, such as Windows HelloTM, Touch ID(R), or Face ID(R).

MFA for Single Sign-On (SSO)

Do your users regularly access multiple apps during the course of their day? Your best option is to combine MFA and SSO, so you can deliver enhanced security along with a convenient, simplified login experience. 

If you've already integrated your Salesforce products with an SSO solution, ensure that MFA is enabled for all your Salesforce users. You can use your SSO provider’s MFA service. Or, for products that are built on the Salesforce Platform, you can use the free MFA functionality provided in Salesforce instead of enabling MFA at the SSO level. 

Learn More About MFA

MFA Guidance for Salesforce Partners

Looking for guidance on how you and your customers can satisfy the MFA requirement? In addition to the resources on this site, check out the MFA Requirement page in the Partner Community. It's your central place for all partner-related MFA resources, including training courses, discussion groups, partner FAQs, and more. A partner community login is required.

Report a Security Concern

As a leading software-as-a-service and platform-as-a-service provider, Salesforce is committed to setting the standard in safeguarding our environment and customers’ data. Partner with us by reporting any security concerns.