Get Ready for MFA: Tips to Help Users Recover Access

Get Ready for Multi-Factor Authentication: Tips to Help Users Recover Access

By

As an #AwesomeAdmin, part of your role is managing and maintaining user access. So when multi-factor authentication (MFA) goes into effect for your org–whether you’re turning it on yourself or waiting for Salesforce to auto-enable it for you–it’s important to know how to resolve MFA-related access issues that users may encounter.

Access issues typically fall into these categories:

  • A user forgets or loses their MFA verification method.
  • A user gets a new verification method and needs to disconnect their old one.
  • The connection between a user’s registered verification method and their Salesforce account stops working.

Let’s see how to get your users up and running if they encounter any of these situations.

Empower yourself with the right permission

To help with MFA-related access issues, make sure you have the “Manage Multi-Factor Authentication in User Interface” permission in addition to your Salesforce Admin permissions. This user permission lets you generate temporary verification codes, disconnect verification methods from user accounts, and monitor identity verification and verification method activities in your org.

If a user forgets or loses their verification method

First, issue the user a temporary verification code so they can log in and work while you sort out the rest. You can specify when the temporary code expires. And the user can log in multiple times with their code while it’s valid.

  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click the name of the user who needs the temporary code.
  3. Search the page for the Temporary Verification Code field, then click Generate.
  4. Set an expiration time between 1 and 24 hours, then click Generate Code.
  5. Give the code to your user and click Done.

If the user simply forgot their phone or security key at home, the temporary verification code gets them through the day and that’s all you need to do.

But if a user’s verification method was lost or stolen, we also recommend the following security-related best practices.

If a user needs to replace a verification method or their method has stopped working

Over time, it’s inevitable that users will swap their mobile phones and computers for the latest and greatest models. If someone was using their old device to run an authenticator app or built-in authenticator for MFA, they’ll need to switch their verification method to their new hardware. Similarly, a user may wind up replacing their physical security key with a new one. In these situations, start by disconnecting the user’s existing verification method to make room for registering its replacement.

If a user reports that their verification method has stopped working when they try to log in, reset the method by disconnecting it then have the user re-register it for MFA.

To disconnect a user’s existing authenticator app, security key, or built-in authenticator:

1. From Setup, in the Quick Find box, enter Users, then select Users.

2. Click the user’s name.

3. On the user’s detail page, scroll to the following set of fields:

Screenshot of a user record, highlighting the fields for disconnecting MFA verification methods

(1) Disconnects a third-party authentication app, such as Google Authenticator, Microsoft Authenticator, or Authy (2) Disconnects Salesforce Authenticator (3) Disconnects a physical security key (4) Disconnects a built-in authenticator, such as Face ID, Touch ID, or Windows Hello

4. Next to the field for the user’s type of verification method, click Disconnect, Remove, or Del.

Now guide the user to register a replacement security key, re-register their existing verification method on their new phone or computer, or simply re-register a method that had stopped working. You can’t do this step for them.

  • If you disconnected the user’s only registered verification method, they’re prompted to re-register the next time they log in. They can simply follow the on-screen prompts.
  • If a user is currently logged in, or has an additional MFA verification method available for logging in, they can do the registration step from their personal settings. Share the steps that are documented in Register Verification Methods for Multi-Factor Authentication in Salesforce Help.

Reduce the admin burden: redundancy is your friend

It can be an emergency situation if a user isn’t able to log in. With MFA in the equation, you can remove the urgency from access recovery situations by having your users register at least two verification methods. This way they have a backup available if they lose or forget their primary method. With Salesforce, users can register one method in each of the supported categories, meaning they can set up Salesforce Authenticator, a third-party one-time password authenticator app, a physical security key, and a built-in authenticator.

And don’t forget about yourself! Create an access recovery plan for Salesforce Admins–especially if you’re a solo admin. Consider these best practices:

  • Each admin should register a minimum of two verification methods.
  • Keep a backup security key in a secure place.
  • Ensure there’s at least one other admin or trusted user who has permission to manage users and MFA settings (including the “Manage Multi-Factor Authentication in User Interface” user permission). This way, if you get locked out, the other user can restore your access.

Resources

And join the conversation anytime in the MFA – Getting Started Trailblazer Community Group.

Cloudy with a laptop standing next to text that says, "Security + AI Basics for Salesforce Admins."

Security + AI Basics for Salesforce Admins

Artificial intelligence (AI) is everywhere right now and everyone is talking about it. From having fun with generative imaging to staring in wonder at driverless cars, it seems that AI is popping up all over the place. Salesforce has made a ton of AI announcements with Sales GPT, Service GPT, Slack GPT, and beyond. As […]

READ MORE
Astro with a clipboard under text that says "Get Ready for MFA: Prepare Your End-Users"

Get Ready for Multi-Factor Authentication: Prepare Your End-Users

With multi-factor authentication (MFA) auto-enablement for Salesforce orgs on the horizon, you might be wondering how to prepare your users for this change. We’ve got you covered! Busy people aren’t always receptive to change. To hit the right notes with your Salesforce users, share why MFA is a critical security measure and help everyone quickly […]

READ MORE
Blaze and Astro standing on a field holding a security shield.

Get Ready for Multi-Factor Authentication: Plan for Auto-Enablement

Editor’s note: This post was updated on November 6, 2023, with the latest information and resources. Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That […]

READ MORE