Everything Admins Need to Know About the MFA Requirement

By

Editor’s note: The contractual requirement to log in with multi-factor authentication (MFA) is in effect. This post was updated on June 27, 2024, with the latest information and resources. 

It feels like we’ve talked about security a lot in the past year, doesn’t it? Whether you tuned into #LowCodeLove on Trailhead Live, read about washing your hands, or listened to one of our favorite Salesforce MVPs talk about her experience rolling out MFA, it’s been top of mind.

At Salesforce, we’re always thinking of ways to better protect our customers and keep their data secure. That’s why Salesforce requires customers to use multi-factor authentication (MFA) when accessing Salesforce products. This contractual requirement went into effect on February 1, 2022.

This may seem like a big change, and we want to be clear about why it’s so important for Salesforce customers to implement stronger security measures in this current environment. The cybersecurity threat landscape is always evolving to include more sophisticated methods of targeting data. In fact, cyber attacks that can harm businesses and exploit consumers are on the rise. We also saw the number of phishing websites increase by 80% in 2020, according to Google’s Safe Browsing report.

MFA enhances login security by adding an extra layer of protection against unauthorized account access. MFA can help protect user accounts from some of the most common threats, such as phishing attacks, credential stuffing, and account takeovers. It’s a secure authentication process that requires users to prove their identity by supplying two or more pieces of evidence (or “factors”) when they log in. We strongly encourage customers to implement the most current and industry-standard security measures, and MFA is at the top of this list.

Let’s get back to the requirement…

To satisfy the requirement, you must do one of — or a combination of — the following:

  • Use MFA for users who log in to Salesforce products (including partner solutions) through the user interface.
  • Use federated single sign-on (SSO) for Salesforce products, including partner solutions. If you decide to implement SSO, we require customers to enable MFA for their identity provider (IdP). With a well-implemented SSO strategy, you can reduce some of the risks associated with weak or reused passwords, and make it easier for your users to log in to frequently-used applications.

The good news: MFA and the Salesforce Authenticator app are available at no extra cost. Salesforce also offers an SSO solution, but you should work with your IT or Security team to determine if SSO, and which IdP, is the best fit for your company.

And more good news: To help customers satisfy the requirement, MFA is now a default part of the direct login process for Salesforce products. That means it’s no longer necessary to enable MFA for direct logins yourself, giving you more time to focus on onboarding your users to MFA.

Does SSO satisfy the MFA requirement?

Yes — as long as all of your Salesforce products are integrated with SSO, with MFA enabled on the IdP, and all users who access a Salesforce product’s user interface do so via SSO. Note that you must use a federated SSO solution based on the Security Assertion Markup Language (SAML) or OpenID Connect standard protocols. Delegated Authentication does not satisfy the MFA requirement.

Okay, got it. How do I get started?

We’ve compiled a list of helpful resources to get you started on the MFA journey. As a Salesforce Admin, most of the responsibility for implementing SSO and MFA, and preparing users for MFA, will fall to you.

And join the conversation anytime in the MFA — Getting Started Trailblazer Community.

Core responsibilities of a Salesforce Admin

Core Responsibilities of a Salesforce Admin: Your Blueprint for Success

As admins, you hold the keys to success for your users and companies to get the most out of Salesforce. You have the unique opportunity to build and manage trusted solutions that drive productivity and innovation through five core admin responsibilities: security, user management, data management, analytics, and a new core responsibility: product management.  The […]

READ MORE
User management enhancements Winter '25

User Management Enhancements | Winter ’25 Be Release Ready

Winter ’25 is almost here! Learn more about user management and check out Be Release Ready to discover more resources to help you prepare for Winter ’25. We’re continuing to innovate in Setup starting with user access and user management. We have several exciting enhancements in store for Winter ’25–many thanks to your feedback and […]

READ MORE
Troubleshoot user access with SOQL

How to Troubleshoot User Access with SOQL (Beginner Friendly)

Awesome Admins, we know that troubleshooting user access is a common task. You’re frequently asked questions like “Why can Jane access this field, but John can’t?” or “Why can John view this record when he shouldn’t be able to?” In Summer ’24, we introduced helpful summary views for users, public groups, permission sets, and permission […]

READ MORE