Blaze and Astro standing on a field holding a security shield.

Get Ready for Multi-Factor Authentication: Plan for Auto-Enablement


Editor’s note: This post was updated on November 6, 2023, with the latest information and resources.

Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That requirement went into effect on February 1, 2022. And now? MFA auto-enablement for Salesforce orgs is underway! But don’t worry, this post will help you navigate what’s involved so you and your users are prepared.

This change affects how your users log in, so let’s do a quick review of what to expect. If you’ve already satisfied the MFA requirement, thank you! But keep reading because there’s one last consideration that may apply to your org.

What exactly is MFA auto-enablement?

The term may be a little ponderous, but the concept is pretty simple. Basically, it’s when Salesforce turns on MFA in a customer’s org on their behalf.

Beyond the basics, we’re going to use the Release Update mechanism–specifically, the MFA Auto-Enablement Release Update–to take this action. When the update goes into effect for an org, it turns on the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting. Hopefully, the setting name is self-explanatory, but to be safe: The setting acts at the org level to enable MFA for all users who log in with their username and password.

The MFA org setting on the Identity Verification page in Setup.

Salesforce is applying the MFA Auto-Enablement Release Update for direct logins to all production orgs, even orgs that already satisfy the MFA requirement and those that have single sign-on (SSO) set up for Salesforce access. Why? Because the org-level MFA setting ensures that all direct logins get MFA. And it simplifies ongoing maintenance. Adding new users? Have some users who occasionally bypass SSO and log in directly? You don’t have to remember to enable MFA in these scenarios because the MFA org setting has you covered.

What to expect when MFA is auto-enabled for your org

Better security! More peace of mind! But you’d probably like some specifics, so here you go.

  • All users who log in directly with a username and password will also need to verify their identity with an MFA verification method, such as Salesforce Authenticator or a security key.
  • If a user hasn’t already set up a verification method, they’re guided through the process to register one the next time they log in. But if users aren’t quite ready for this step, there’s a 30-day grace period after auto-enablement occurs where they can skip registration and log in without MFA.
  • If you’ve assigned the Multi-Factor Authentication for User Interface Logins user permission to some users and they’re already logging in with MFA, no worries. They won’t notice any changes.
  • Also not to worry–logins to your org via SSO aren’t affected.

If you need more time to prepare for MFA, Salesforce Admins can temporarily turn off the MFA org setting after auto-enablement.

An important step before your org is auto-enabled, even if you already satisfy the MFA requirement

There are several user types and use cases that are exempt from the MFA requirement. Most are automatically excluded from MFA when an org is auto-enabled. But there are a few exempt use cases that must be manually excluded by a Salesforce Admin before the MFA org setting is applied. To see if this step applies to your org–even if you’ve already enabled MFA for your users–take a look at Exclude Exempt Users from MFA in Salesforce Help.

The MFA auto-enablement schedule

We’re auto-enabling MFA over the course of several releases. The first three phases occurred between the Spring ’23 and Summer ’23 releases. For orgs included in the fourth and final phase, the MFA Auto-Enablement Release Update was added to your org in Winter ’24 and it will take effect when the Spring ’24 release rolls out.

Is your org included in phase 4? To find out, keep an eye on the Release Updates node in Setup. If you see the MFA Auto-Enablement Release Update now, you know that Salesforce is auto-enabling your org in Spring ’24.

Don’t wait! Roll out MFA your way

If MFA isn’t fully implemented for your org yet, you may be inclined to wait and have Salesforce do it for you. But here are a few plusses for doing your own implementation as soon as possible.

  1. The longer you wait, the longer you’re missing out on the valuable extra protection against cyberattacks that you get with MFA.
  2. Controlling your own rollout plan and schedule ensures you can avoid the disruptions to your users and your business that could occur when Salesforce auto-enables MFA. You can turn on MFA at a time that doesn’t conflict with other important initiatives at your company. And you can make sure your users get all the preparation they need in advance of going live.

Turning on the MFA org setting takes just a few minutes. And the MFA Rollout Pack gives you a treasure trove of templates for communications, training, and user onboarding materials to prepare your users. So why wait?!


And join the conversation anytime in the MFA – Getting Started Trailblazer Community.

Cloudy with a laptop standing next to text that says, "Security + AI Basics for Salesforce Admins."

Security + AI Basics for Salesforce Admins

Artificial intelligence (AI) is everywhere right now and everyone is talking about it. From having fun with generative imaging to staring in wonder at driverless cars, it seems that AI is popping up all over the place. Salesforce has made a ton of AI announcements with Sales GPT, Service GPT, Slack GPT, and beyond. As […]

Get Ready for MFA: Tips to Help Users Recover Access

Get Ready for Multi-Factor Authentication: Tips to Help Users Recover Access

As an #AwesomeAdmin, part of your role is managing and maintaining user access. So when multi-factor authentication (MFA) goes into effect for your org–whether you’re turning it on yourself or waiting for Salesforce to auto-enable it for you–it’s important to know how to resolve MFA-related access issues that users may encounter. Access issues typically fall […]

Astro with a clipboard under text that says "Get Ready for MFA: Prepare Your End-Users"

Get Ready for Multi-Factor Authentication: Prepare Your End-Users

With multi-factor authentication (MFA) auto-enablement for Salesforce orgs on the horizon, you might be wondering how to prepare your users for this change. We’ve got you covered! Busy people aren’t always receptive to change. To hit the right notes with your Salesforce users, share why MFA is a critical security measure and help everyone quickly […]