Get Ready for Multi-Factor Authentication: Plan for Auto-Enablement

Editor’s note: This post was updated on November 6, 2023, with the latest information and resources.

Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That requirement went into effect on February 1, 2022. And now? MFA auto-enablement for Salesforce orgs is underway! But don’t worry, this post will help you navigate what’s involved so you and your users are prepared.

This change affects how your users log in, so let’s do a quick review of what to expect. If you’ve already satisfied the MFA requirement, thank you! But keep reading because there’s one last consideration that may apply to your org.

What exactly is MFA auto-enablement?

The term may be a little ponderous, but the concept is pretty simple. Basically, it’s when Salesforce turns on MFA in a customer’s org on their behalf.

Beyond the basics, we’re going to use the Release Update mechanism–specifically, the MFA Auto-Enablement Release Update–to take this action. When the update goes into effect for an org, it turns on the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting. Hopefully, the setting name is self-explanatory, but to be safe: The setting acts at the org level to enable MFA for all users who log in with their username and password.

Salesforce is applying the MFA Auto-Enablement Release Update for direct logins to all production orgs, even orgs that already satisfy the MFA requirement and those that have single sign-on (SSO) set up for Salesforce access. Why? Because the org-level MFA setting ensures that all direct logins get MFA. And it simplifies ongoing maintenance. Adding new users? Have some users who occasionally bypass SSO and log in directly? You don’t have to remember to enable MFA in these scenarios because the MFA org setting has you covered.

What to expect when MFA is auto-enabled for your org

Better security! More peace of mind! But you’d probably like some specifics, so here you go.

• All users who log in directly with a username and password will also need to verify their identity with an MFA verification method, such as Salesforce Authenticator or a security key.
• If a user hasn’t already set up a verification method, they’re guided through the process to register one the next time they log in. But if users aren’t quite ready for this step, there’s a 30-day grace period after auto-enablement occurs where they can skip registration and log in without MFA.
• If you’ve assigned the Multi-Factor Authentication for User Interface Logins user permission to some users and they’re already logging in with MFA, no worries. They won’t notice any changes.
• Also not to worry–logins to your org via SSO aren’t affected.

If you need more time to prepare for MFA, Salesforce Admins can temporarily turn off the MFA org setting after auto-enablement.

An important step before your org is auto-enabled, even if you already satisfy the MFA requirement

There are several user types and use cases that are exempt from the MFA requirement. Most are automatically excluded from MFA when an org is auto-enabled. But there are a few exempt use cases that must be manually excluded by a Salesforce Admin before the MFA org setting is applied. To see if this step applies to your org–even if you’ve already enabled MFA for your users–take a look at Exclude Exempt Users from MFA in Salesforce Help.

The MFA auto-enablement schedule

We’re auto-enabling MFA over the course of several releases. The first three phases occurred between the Spring ’23 and Summer ’23 releases. For orgs included in the fourth and final phase, the MFA Auto-Enablement Release Update was added to your org in Winter ’24 and it will take effect when the Spring ’24 release rolls out.

Is your org included in phase 4? To find out, keep an eye on the Release Updates node in Setup. If you see the MFA Auto-Enablement Release Update now, you know that Salesforce is auto-enabling your org in Spring ’24.

Don’t wait! Roll out MFA your way

If MFA isn’t fully implemented for your org yet, you may be inclined to wait and have Salesforce do it for you. But here are a few plusses for doing your own implementation as soon as possible.

1. The longer you wait, the longer you’re missing out on the valuable extra protection against cyberattacks that you get with MFA.
2. Controlling your own rollout plan and schedule ensures you can avoid the disruptions to your users and your business that could occur when Salesforce auto-enables MFA. You can turn on MFA at a time that doesn’t conflict with other important initiatives at your company. And you can make sure your users get all the preparation they need in advance of going live.

Turning on the MFA org setting takes just a few minutes. And the MFA Rollout Pack gives you a treasure trove of templates for communications, training, and user onboarding materials to prepare your users. So why wait?!

Resources

• Salesforce Help: Everything You Need to Know About MFA Auto-Enablement and Beyond (for Products Built on the Salesforce Platform)
• Vidyard: How Multi-Factor Authentication Works to Protect Account Access
• Trailhead: Quick Start: Turn On Multi-Factor Authentication
• Salesforce Help: Salesforce Multi-Factor Authentication FAQ
• Salesforce Trust Site: Multi-Factor Authentication for Salesforce
• Salesforce Admins Blog: Get Ready for Multi-Factor Authentication: Prepare Your End-Users
• Salesforce Admins Blog: Get Ready for Multi-Factor Authentication: Tips to Help Users Recover Access

And join the conversation anytime in the MFA – Getting Started Trailblazer Community.