top of page

Architecture of Salesforce MFA: What You Need to Know

Multi-Factor Authentication (MFA) isn’t optional anymore, it’s a requirement. Whether you're using direct login or Single Sign-On (SSO), Salesforce contractually enforces the use of MFA across all editions.


Text on Salesforce MFA requirement with icons of a cloud and a shield with a lock. White background, simple, informative style.

What Is MFA?

MFA (Multi-Factor Authentication) is a secure authentication method that requires a second piece of evidence (or factor) in addition to a password. It drastically reduces the risk of unauthorized access, protecting users from security threats like:

  • Phishing.

  • Credential Stuffing.

  • Account takeovers.


Key Points:

  • MFA is free and available in all Salesforce editions.

  • It’s mandatory. Salesforce enforces it by contract.

  • It applies to both direct logins and SSO.



Why it matters?

Beyond compliance, MFA helps in real business terms:

  • Data Protection: Makes it harder to compromise user credentials.

  • Customer Security: Helps reduce risk to customers and supports your security posture.

  • Security Best Practices: Aligned with common industry practices.

  • Corporate Responsibility: Supports your duty to protect customer and business data.

  • Business Value: Prevents costly breaches and builds customer trust.

  • Also Includes support for legal, compliance, and evolving regulatory requirements.



Who needs what?

Internal users: MFA is contractually required (in effect since Feb 1, 2022).

External users (Experience Cloud): Not required by contract; you may enable it.

Single Sign-On (SSO): Enforce MFA at your IdP or turn on Salesforce MFA for SSO

API / integrations: It’s not contractually required, but you can require it.



How it works

MFA ensures a user’s identity by requiring multiple “factors” during the login process.

For example, we can have a login with the following factors:

  • The first factor is something a user knows/is, like their username, password and facial recognition.

  • After that, the user is prompted for a second factor that’s something a user has, like an identity verification method, such as an authentication app or a security key.



Supported MFA Methods in Salesforce

Salesforce supports several types of identity verification methods. You can prioritize the use of Salesforce Authenticator by placing it on the first screen, or display all available verification methods. If multiple methods are enabled, users can choose their preferred one.


Accepted MFA Methods

The Salesforce Authenticator App

  • Free and mobile-based.

  • Automatically integrates into the Salesforce login process with push notifications.

  • Also generates time-based one-time passcodes (TOTP), allowing users to authenticate even without a data connection.

Smartphone with cloud and lock symbol, indicating security. A blue shield with a check mark is in the foreground, suggesting protection.

External Authenticator Apps

  • TOTP apps work offline and don’t require internet access (like Google Authenticator).

  • Salesforce recommends its own app because if a bad actor compromises the user’s computer, the second factor isn’t compromised.


A smartphone outline with a five-dot password display, a blue shield with a checkmark, and a circular logo suggests security features.

Built-in Authenticator

  • Also called platform authenticators, these are built into a device’s operating system (e.g., Windows Hello, Face ID).

  • Use biometrics or PINs already configured on the device.

  • Streamline MFA by avoiding extra apps or hardware.

  • USB/NFC WebAuthn (FIDO2)/U2F keys are supported (device/browser permitting).

  • Not supported on Experience Cloud sites, via API logins, or for Salesforce mobile-app logins.

Laptop with a facial recognition icon and smartphone with a fingerprint and shield. Blue and white color scheme, indicating security.

Physical Security Keys

  • Devices like YubiKey or Titan Security Key.

  • A strong option for users without mobile devices, or where phones are not allowed.

  • Require a supported browser to mediate authentication between the device and Salesforce.

  • Not considered biometric, even if they include a button that must be touched to activate.

  • Once activated, the key generates credentials that the browser sends to Salesforce.

  • Can be reused across multiple service providers and Salesforce orgs.

Two USB keys are shown, one with a blue shield and checkmark, symbolizing security. The image has a white background.

Restricted Methods

For internal users, email/SMS/voice codes don’t satisfy the MFA requirement. Authenticator app TOTPs, security keys, and built-in/platform authenticators do.


External Users Exception

External Users are able to use SMS-based one-time passcodes with the Identity Verification Credits Add-On License.



Delegate MFA Management

You can delegate support for your org’s MFA implementation to trusted users and admins by assigning them the permission Manage Multi-Factor Authentication in User Interface.

The permission will enable the users to:

  • Generate temporary verification codes.

  • Disconnect verification methods.

  • View user identity verification activity.

  • Access the Identity Verification Methods Report.

  • Create user list views that show which identity verification methods users have registered.



Resolve MFA Issues

Use the following steps to troubleshoot and resolve common MFA-related issues.


User forgot their Verification Method

  • Issue a temporary verification code.

  • Expire the temporary verification code once it’s no longer needed.


User’s Verification Method is lost or stolen

  • Remove the user’s current session.

  • Disconnect the lost or stolen verification method.

  • Issue a temporary verification code.

  • Audit the user’s account to validate for unintended behavior.

  • Assist the user with acquiring a replacement device.

  • Expire the temporary verification code once it’s no longer needed.


User’s verification method isn’t working or has been replaced

  • Issue a temporary verification code.

  • Disconnect the existing verification method.

  • Help the user re-register their verification method or set up a new one.

  • Expire the temporary verification code once it’s no longer needed.



Monitor MFA in Salesforce

Keeping track of MFA adoption and usage is essential. Here’s how you can monitor it.


Lightning Usage App

  • See how many users are logging in and how they're authenticating.

  • For both MFA and SSO.


MFA List View

  • Build custom views to see which users have registered MFA methods.


Identity Verification Methods Report

  • Monitor and audit verification attempts over the past six months.


MFA Dashboard App (by Salesforce Labs)

  • Free, pre-built dashboards and reports.

  • View who registered MFA, generated temporary codes, or revoked any registered verification methods.

  • Audit MFA activities and track adoption progress.



Lightning Login

Consider enhancing the MFA user experience by enabling Lightning login.

Smartphone displaying approval screen with icons, including a lightning bolt and blue shield with a checkmark, suggesting security.

What is Lightning Login?

Lightning Login is a convenient and secure password-free method that allows users access their Salesforce accounts quickly and safely.

Lightning Login satisfies the terms of the contractual MFA requirement by using two distinct factors :

  • Salesforce Authenticator (something a user has).

  • A PIN or biometric scan on their mobile device (something a user knows/is).

This combination ensures compliance with MFA policies while improving the overall login experience.



TL;DR

It’s mandatory, it’s free, supports multiple secure methods, and helps protect against phishing, credential theft, and account compromise. Knowing where and how to enforce it is key to a secure Salesforce architecture.


In other words: MFA is important. Don’t sleep on it!


Comments

© 2024 DESHIVE

bottom of page