Editor’s note: This post was updated on June 27, 2024, with the latest information and resources.
As an #AwesomeAdmin, part of your role is managing and maintaining user access. With multi-factor authentication (MFA) in effect for your org, it’s important to know how to resolve MFA-related access issues that users may encounter.
Access issues typically fall into these categories:
Let’s see how to get your users up and running if they encounter any of these situations.
To help with MFA-related access issues, make sure you have the “Manage Multi-Factor Authentication in User Interface” permission in addition to your Salesforce Admin permissions. This user permission lets you generate temporary verification codes, disconnect verification methods from user accounts, and monitor identity verification and verification method activities in your org.
First, issue the user a temporary verification code so they can log in and work while you sort out the rest. You can specify when the temporary code expires. And the user can log in multiple times with their code while it’s valid.
Users in the Quick Find box, then select Users.If the user simply forgot their phone or security key at home, the temporary verification code gets them through the day and that’s all you need to do.
But if a user’s verification method was lost or stolen, we also recommend the following security-related best practices.
Over time, it’s inevitable that users will swap their mobile phones and computers for the latest and greatest models. If someone was using their old device to run an authenticator app or built-in authenticator for MFA, they’ll need to switch their verification method to their new hardware. Similarly, a user may wind up replacing their physical security key with a new one. In these situations, start by disconnecting the user’s existing verification method to make room for registering its replacement.
If a user reports that their verification method has stopped working when they try to log in, reset the method by disconnecting it then have the user re-register it for MFA.
To disconnect a user’s existing authenticator app, security key, or built-in authenticator:
1. From Setup, in the Quick Find box, enter Users, then select Users.
2. Click the user’s name.
3. On the user’s detail page, scroll to the following set of fields:
(1) Disconnects a third-party authentication app, such as Google Authenticator, Microsoft Authenticator, or Authy (2) Disconnects Salesforce Authenticator (3) Disconnects a physical security key (4) Disconnects a built-in authenticator, such as Face ID, Touch ID, or Windows Hello
4. Next to the field for the user’s type of verification method, click Disconnect, Remove, or Del.
Now guide the user to register a replacement security key, re-register their existing verification method on their new phone or computer, or simply re-register a method that had stopped working. You can’t do this step for them.
It can be an emergency situation if a user isn’t able to log in. With MFA in the equation, you can remove the urgency from access recovery situations by having your users register at least two verification methods. This way they have a backup available if they lose or forget their primary method. With Salesforce, users can register one method in each of the supported categories, meaning they can set up Salesforce Authenticator, a third-party one-time password authenticator app, a physical security key, and a built-in authenticator.
And don’t forget about yourself! Create an access recovery plan for Salesforce Admins–especially if you’re a solo admin. Consider these best practices:
And join the conversation anytime in the MFA – Getting Started Trailblazer Community Group.
Editor’s note: Effective April 8, 2024, MFA is a default part of the login process for new Salesforce production orgs. If you’re a new Salesforce customer, this blog post provides tips to help ensure your users are ready for MFA when your org goes live. This post was updated on June 27, 2024, with the […]
Editor’s note: This post was updated on June 27, 2024, with the latest information and resources. Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That […]
Winter ’25 is almost here! Learn more about user management and check out Be Release Ready to discover more resources to help you prepare for Winter ’25. We’re continuing to innovate in Setup starting with user access and user management. We have several exciting enhancements in store for Winter ’25–many thanks to your feedback and […]
