How to Set Up Multi-Factor Authentication in Salesforce

The original article was published on the Advanced Communities blog.

Protecting sensitive data is critical. As cyber threats continue to rise, securing your Salesforce environment has never been more critical. Multi-factor authentication (MFA) is a powerful security measure, ensuring that only authorized individuals access your organization’s resources. Salesforce has embraced MFA as a standard, requiring its use to safeguard against unauthorized access and data breaches.

This article provides a comprehensive guide to understanding, implementing, and managing MFA in Salesforce for both internal and external users.

What is MFA in Salesforce?

MFA is a security protocol that requires users to verify their identity through multiple methods during the login process. It combines at least two factors—something you know (like a password) and something you have (such as an authenticator app or security key). This layered approach significantly reduces the risk of identity theft and unauthorized access.

Since February 2022, Salesforce has required all customers to adopt MFA, with automatic enforcement starting in 2023. This proactive measure ensures that organizations comply with security standards while protecting their data and systems. By requiring multiple verification methods, MFA adds a layer of defense, making it harder for attackers to infiltrate your Salesforce environment.

Methods of MFA Verification in Salesforce

Salesforce offers various options to cater to different security needs and user preferences. Built-in authenticators like biometric tools, such as fingerprint readers or facial recognition systems, provide seamless and secure logins. Popular examples include Touch ID, Face ID, and Windows Hello.

The Salesforce Authenticator mobile app is another widely used solution. It enables users to approve logins with a simple tap on their smartphone. The app sends push notifications, streamlining the authentication process while maintaining robust security.

For users who prefer hardware-based authentication, Universal Second Factor (U2F) or WebAuthn security keys are an excellent choice. These physical devices plug into a computer or mobile device, allowing quick and secure verification. Alternatively, third-party apps that generate time-based one-time passcodes (TOTP) offer flexibility, creating temporary codes users enter during login for an added security layer.

While Salesforce does not recommend email or SMS for MFA due to vulnerabilities, SMS-based one-time passcodes are available for external users in Experience Cloud under specific configurations. These options require additional licensing and setup, ensuring a balance between convenience and security.

Enabling MFA in Salesforce

Setting up MFA across your Salesforce organization is straightforward and requires minimal configuration. To activate MFA for internal users, access the Setup menu and search for “Identity Verification.” From there, enable the option “Require multi-factor authentication for all direct UI logins to your Salesforce org.” This ensures that users must provide secondary verification when logging in with their username and password.

For organizations using Salesforce Experience Cloud, MFA is optional but highly recommended. External users, such as community members or customers, can benefit from enhanced security measures tailored to their access needs. Admins can create permission sets for MFA and assign them to relevant users. Additionally, SMS one-time passcodes can be enabled for external users, provided the appropriate licenses and configurations are in place.

Salesforce’s Transition to Permission Set-Based Access

In addition to enforcing MFA, Salesforce is making significant changes to user management by transitioning from profile-based permissions to permission-set-based access. By Spring 2026, permissions on profiles will be retired. This shift simplifies user management, enabling more granular control over access rights while maintaining robust security.

To adapt to this change, organizations should prioritize the use of permission sets for managing MFA and other access controls. This approach not only streamlines user management but also aligns with Salesforce’s evolving security standards.

MFA for External Users in Experience Cloud

For Experience Cloud sites, MFA is not mandatory but can provide additional security. External users, such as customers or partners, can use various verification methods, including SMS one-time passcodes, during their initial registration. Once registered, they can add more secure options like authenticator apps or security keys. Salesforce ensures that the most secure available method is used for multi-step login processes, providing a seamless experience without compromising safety.

To enable SMS-based MFA for external users, organizations must acquire an Identity Verification Credit Add-On license and work with Salesforce Customer Support to activate the feature. Once enabled, external users can verify their identity using SMS during login or account setup. This method, while less secure than others, offers flexibility for specific use cases.

Partnering for Success

Implementing MFA and managing Salesforce’s evolving security requirements can be challenging, but assistance is readily available. Certified Salesforce consultants can provide valuable expertise, guiding you through the process of setting up MFA, securing Experience Cloud sites, and customizing your Salesforce environment. From deploying member management solutions to enhancing community sites with third-party apps, a trusted partner can help streamline the implementation process and ensure your organization’s compliance with security best practices.

FAQs About Salesforce MFA

Understanding MFA requirements and best practices is crucial for effective implementation. To confirm that MFA is enabled for your organization, navigate to Setup, search for “Identity Verification,” and ensure that MFA is required for direct UI logins. For specific users, assign the “Multi-Factor Authentication for User Interface Logins” permission to their profile or permission set.

Since February 2022, MFA has been mandatory for all internal Salesforce users, regardless of how they access the platform. This includes users logging in through the Salesforce interface or via partner solutions. Adopting MFA across your organization is not just a security enhancement—it’s a contractual obligation that ensures compliance with Salesforce’s guidelines.

Conclusion

Multi-factor authentication is a vital tool for safeguarding your Salesforce environment against ever-evolving cyber threats. By leveraging robust verification methods and aligning with Salesforce’s security requirements, organizations can enhance their defenses and build trust with users. 

Whether for internal teams or external communities, implementing MFA ensures a secure, compliant, and seamless user experience. For those navigating the complexities of Salesforce security, expert guidance can provide the support needed to succeed.