Enable Multi-Factor Authentication (MFA) in Salesforce to prevent unauthorized access to your Salesforce Org and add an extra layer of security. Multi-Factor Authentication simply means that after the username/password authentication, user will need to complete one more step before they are authenticated into the application. The idea is that even if someone somehow knows your username & password, he or she will still not be able to login to the application.
With the rising number of cyberattacks targeting businesses, including Salesforce customers, Salesforce is making MFA mandatory . In fact, now, MFA is a contractual requirement to use Salesforce products. In 2023, the company will be enabling and enforcing MFA for customers who haven’t already done so. To avoid disruptions, roll out MFA yourself as soon as possible.
For the purpose of this blog post we’ll use “Something you have” and the “thing” that you will need to “have” is a smartphone. Follow this step-by-step guide and in less than 30 minutes from now, you will have a more secure Salesforce Org
(We have discontinued our premium membership offering. If you are an existing premium member, you can still download the guides by clicking on “DOWNLOAD PDF [PREMIUM MEMBERS]” button. If you are not a premium member and want to download the guides, please sign up for our “All Access” pass. Complete details about this pass is available at this URL.)
(This blog post was first published in April 2018. It has now been updated & republished)
16 thoughts on “Step by Step Guide to Enable Multi-Factor Authentication in Salesforce”
Hello, I understand the importance of MFA and that it will be going into effect on Feb 1st. However, I’ve been receiving feedback from specific users who are opposed to using MFA in their org. As far as I can tell, there is no loophole to logging in around secondary verification methods, even if using SSO. Every log in method, regardless of profile, will be presented with a secondary verification request. Is this accurate?
Hi David, you can set up MFA at the SSO level so you don’t need to do it in Salesforce. Using MFA in Salesforce is contractually required but whether you do it in Salesforce or at the SSO level, it doesn’t matter.
There is one exception to it. You can choose to exempt certain users from MFA requirements. Please check this blog post on that exemption – https://www.asagarwal.com/users-exempted-from-multi-factor-authentication-mfa-in-salesforce/ on what kind of users can be exempted from MFA. But please don’t use this feature to bypass MFA.
Must we enable/use MFA even if we are currently using Azure SSO?
Hi Larry, here is what I could gather from the URL https://security.salesforce.com/sso-and-mfa
MFA is required for logging into Salesforce. You can enable it either at the Salesforce level or at the SSO level.
If MFA is enabled for your SSO identity provider, you don’t need to enable Salesforce’s MFA for users who log in via SSO. But if you have admins or other privileged users who log in to your Salesforce products directly, you do need to set up Salesforce’s MFA for these users.
Hope this helps.
The Article is really good. The only use case I could not follow is “when user loses his/her mobile”, Admin will click on “disconnect” for that user, but the same slide say it will ask for “approval” on next login. Then how come user will be accessing the app.
Is this applicable for Partner users also ?
Thanks Mahima. Glad that you liked it.
When the user loses his/her mobile, they will have a new device and will need to set up the Authenticator app again. This is what I mean by saying that it will ask for “approval” as the user will need to go through the same registration process with the Authenticator App on their new device.
However, if the user does not temporarily have access to the mobile, then the admin can generate temporary verification codes.
Hope this clarifies.
That is very helpful indeed, cook book for all admins, thanks Ashish
My pleasure Samar
How would you envision Partners working through this feature?
Most Partners will have multiple consultants accessing Orgs with a single user.
Any thoughts on how this configuration will work?
Thanks Ryan and my apologies for replying so late. One of the ways is to exempt such users from MFA. Here is a blog post that will give you more information about it – https://www.asagarwal.com/users-exempted-from-multi-factor-authentication-mfa-in-salesforce/
But I am not sure if this will be in violation of the contractual agreement with Salesforce. So the best option will be to check with your Salesforce AE.
Is this the MFA?
Yes, this is MFA.
After slide 50 it prompted me with a dialog box saying below with a “back” Button.I don’t think I have missed any step.can you guide?
Problem Verifying Your Identity
To log in, you need both a higher access level and an identity verification method. Contact your administrator to gain login access.
Hi Bhaggs, I think you will need to enable MFA for the system administrator also to generate the temporary verification code. But please try this in a new developer edition org so that if something goes wrong with your setup, you will not lose anything.
This blog helps me to crack one of the challenge related to 2FA. really informative and helpfull
Thank you Ashish
Thanks Mukesh !