Everything Admins Need to Know About the MFA Requirement


It feels like we’ve talked about security a lot in the past year, doesn’t it? Whether you tuned into #LowCodeLove on Trailhead Live, read about washing your hands, or listened to one of our favorite Salesforce MVPs talk about her experience rolling out MFA, it’s been top of mind.

At Salesforce, we’re always thinking of ways to better protect our customers and keep their data secure. That’s why we recently announced a new requirement for customers: Beginning February 1, 2022, Salesforce will require customers to enable multi-factor authentication (MFA) in order to access Salesforce products.

This may seem like a big change, and we want to be clear about why it’s so important for Salesforce customers to implement stronger security measures in this current environment. The cybersecurity threat landscape is always evolving to include more sophisticated methods of targeting data. In fact, cyber attacks that can harm businesses and exploit consumers are on the rise. We also saw the number of phishing websites increase by 80% in 2020, according to Google’s Safe Browsing report.

MFA enhances login security by adding an extra layer of protection against unauthorized account access. MFA can help protect user accounts from some of the most common threats, such as phishing attacks, credential stuffing, and account takeovers. It’s a secure authentication process that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. We strongly encourage customers to implement the most current and industry-standard security measures, and MFA is at the top of this list.

Let’s get back to the requirement…

To satisfy the requirement, you must do one of — or a combination of — the following:

  • Enable MFA for users who log in to Salesforce products (including partner solutions) through the user interface.
  • Use federated single sign-on (SSO) for Salesforce products, including partner solutions. If you decide to implement SSO, we are requiring customers to enable MFA for your identity provider (IdP). With a well-implemented SSO strategy, you can reduce some of the risks associated with weak or reused passwords, and make it easier for your users to log in to frequently-used applications.

The good news: MFA and the Salesforce Authenticator app are available at no extra cost. Salesforce also offers an SSO solution, but you should work with your IT or Security team to determine if SSO, and which IdP, is the best fit for your company.

We’re working to define an extension process for customers who may need more time to roll out MFA or SSO. For more detailed information about the requirement, visit the Salesforce Multi-Factor Authentication FAQ.

Does SSO satisfy the MFA requirement?

Yes — as long as all of your Salesforce products are integrated with SSO, with MFA enabled on the IdP, and all users who access a Salesforce product’s user interface do so via SSO. Note that you must use a federated SSO solution based on the Security Assertion Markup Language (SAML) or OpenID Connect standard protocols. Delegated Authentication does not satisfy the MFA requirement.

Okay, got it. How do I get started?

We’ve compiled a list of helpful resources to get you started on the MFA journey. As a Salesforce Admin, most of the responsibility for implementing MFA or SSO will fall to you. We encourage you to begin planning now for this change. Depending on the number of users and other requirements your company has around compliance, it can take some time to roll out.

We’re hard at work creating more resources to make rolling out MFA as easy as possible for Salesforce Admins. Stay tuned for more MFA news, tools, and tips!

Image of Mia Pacey next to text that says "Skills for Success: Security Management."

Hone Your Security Management Skills as a Salesforce Admin

As Salesforce Admins, we work with important data and have a powerful platform at our fingertips. But as the saying goes, with great power comes great responsibility. You, as an admin, must promote a culture of positive security controls, protect your organization’s data from unauthorized access, and be security responsible. You play a crucial role […]

Green meadow and text that says "Admin Configuration Kit: Security & Visibility."

Design User Security and Visibility with This Admin Configuration Kit

What’s an Admin Configuration Kit? Let’s set the scene. You’re an admin. You’ve talked to your users. You know what they want, functionally, but you don’t know how to configure it. You don’t even know what you’re supposed to configure! Normally at this point, you’d start searching Google, Help & Training, Trailhead, the Trailblazer Community, […]

Ruth and Cloudy having a picnic next to text that says "Learn MOAR: #5 Event Monitoring."

Learn MOAR in Spring ’22 with Event Monitoring 💻

Follow and complete a Learn MOAR Spring ’22 trailmix for admins or developers by March 31, 2022, 11:59 p.m. PT, to earn a special community badge and enter for a chance to win one of five $200 USD Salesforce Certification vouchers. Learn how to participate and review the Official Rules by visiting the Trailhead Quests […]


Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?