Get ready for MFA: It's on by default now

Get Ready for Multi-Factor Authentication: It’s On by Default Now


Editor’s note: This post was updated on June 27, 2024, with the latest information and resources.

Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That requirement went into effect on February 1, 2022 and MFA was auto-enabled for existing customers between the Spring ’23 and Spring ’24 releases. And now? MFA is a default part of the direct login process when new production orgs go live. If you’re new to Salesforce, this post will help you navigate what’s involved so you and your users are prepared.

How is Salesforce enabling MFA?

When a new production org goes live, the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting is automatically enabled. Hopefully, the setting name is self-explanatory, but to be safe: The setting acts at the org level to enable MFA for all users who log in with their username and password.

The MFA org setting on the Identity Verification page in Setup.

Salesforce applies this setting for all production orgs, even those that have single sign-on (SSO) set up for Salesforce access. Why? Because the org-level MFA setting ensures that all direct logins get MFA. And it simplifies ongoing maintenance. Adding new users? Have some users who occasionally bypass SSO and log in directly? You don’t have to remember to enable MFA in these scenarios because the MFA org setting has you covered.

What to expect when your production org goes live

Better security! More peace of mind! But you’d probably like some specifics, so here you go.

  • All users who log in directly with a username and password will also need to verify their identity with an MFA verification method, such as Salesforce Authenticator or a security key.
  • Users are guided through the process to register a verification method when they log in. But if users aren’t quite ready for this step, there’s a 30-day grace period after your org goes live where they can skip registration and log in without MFA.
  • Logins to your org via SSO aren’t affected.

If you need more time to prepare for MFA, Salesforce Admins can temporarily turn off the MFA org setting. But keep in mind that admins will receive in-app warnings until MFA is re-enabled.

Avoid login surprises: Prepare your users for MFA

As part of your activities to onboard users to your Salesforce org, include a little MFA training. MFA adds a few extra seconds to the login process. To head off resistance, share why MFA is a critical security measure that benefits your company and your customers. Download the free MFA Rollout Pack for customizable templates that you can use for awareness and education.

Some user types aren’t required to use MFA

There are several user types and use cases that are exempt from the MFA requirement. Most are automatically excluded from MFA when an org is auto-enabled. But there are a few exempt use cases that must be manually excluded by a Salesforce Admin. To see if this step applies to your org, take a look at Exclude Exempt Users from MFA in Salesforce Help.


And join the conversation anytime in the MFA – Getting Started Trailblazer Community.

Cloudy with a laptop standing next to text that says, "Security + AI Basics for Salesforce Admins."

Security + AI Basics for Salesforce Admins

Artificial intelligence (AI) is everywhere right now and everyone is talking about it. From having fun with generative imaging to staring in wonder at driverless cars, it seems that AI is popping up all over the place. Salesforce has made a ton of AI announcements with Sales GPT, Service GPT, Slack GPT, and beyond. As […]