Salesforce made Multi-Factor Authentication (MFA) mandatory for all Salesforce product users in February 2022 – and as of 2026, it is enforced at the platform level for all direct Salesforce logins. MFA adds a second verification step beyond the username and password, protecting Salesforce accounts against credential theft, phishing, and brute-force attacks that have compromised enterprise CRM systems in multiple high-profile incidents. This guide covers how to enable and enforce MFA in Salesforce, which MFA methods are supported, how SSO affects the MFA requirement, and how to handle common exceptions.
That makes it a security task with direct operational impact.
Salesforce multi-factor authentication matters because it adds another layer of protection to user accounts. For admins, the job is not just enabling MFA, but making sure the policy is enforced in a way the team can live with.
Why MFA Is Now Mandatory in Salesforce
Credential-based account takeovers – where attackers use stolen username and password combinations from data breaches to access accounts – are among the most common enterprise security incidents. According to Verizon’s Data Breach Investigations Report, over 80% of hacking-related breaches involve compromised credentials. MFA blocks these attacks: even if an attacker has the correct username and password, they cannot complete login without the second factor – the authenticator app on the user’s phone or a hardware security key.
Salesforce’s MFA mandate applies to all direct Salesforce logins (Salesforce.com, Experience Cloud, Pardot, and other Salesforce products accessed with Salesforce credentials). Organisations using SSO (Single Sign-On) satisfy the MFA requirement by enforcing MFA at their identity provider (Okta, Azure AD, etc.) – the enforcement happens at the IdP layer rather than directly in Salesforce.
MFA Methods Supported by Salesforce
Salesforce supports the following MFA verification methods:
Salesforce Authenticator App (Recommended)
Salesforce’s own mobile authenticator app (iOS and Android) provides push notification-based authentication. After entering their username and password, the user receives a push notification on their phone and taps “Approve” to complete login. Salesforce Authenticator also supports a “trusted locations” feature – when logging in from a trusted network like the office, it can automatically approve the login without requiring the user to interact with the app. This reduces MFA friction for office-based users while maintaining protection for remote access.
TOTP Authenticator Apps
Time-based One-Time Password (TOTP) apps generate a 6-digit code that changes every 30 seconds. Salesforce supports any standards-compliant TOTP app: Google Authenticator, Microsoft Authenticator, Authy, 1Password, and others. After entering username and password, the user opens their TOTP app, reads the current 6-digit code, and enters it in Salesforce. TOTP works well for users who prefer not to use the Salesforce Authenticator app specifically.
Hardware Security Keys (U2F / FIDO2)
Physical hardware security keys (YubiKey, Google Titan Key) are the strongest MFA method – they cannot be phished because the cryptographic verification is bound to the specific website. After entering credentials, the user inserts and taps their security key. Hardware keys are the right choice for high-privilege users (Salesforce administrators, executives) where the strongest protection is warranted.
Built-In Authenticators (Touch ID / Face ID)
Salesforce supports FIDO2 WebAuthn authenticators, including built-in device authenticators like Touch ID and Face ID on macOS and iOS devices. Users who enable this method authenticate with biometrics on their computer or phone – a balance of strong security and minimal friction.
Enabling MFA for Salesforce Users
As of 2023, Salesforce auto-enabled the MFA requirement at the platform level for most orgs. For orgs that have not yet enforced it:
Option 1: Enable MFA Through User Permission
- Go to Setup → Identity → Multi-Factor Authentication for User Interface Logins
- Review the MFA status (Auto-Enabled is the default for orgs created after 2022)
- For orgs that opted out of auto-enablement: enable MFA by turning on the Multi-Factor Authentication for User Interface Logins setting
Option 2: Enforce via Profile Permission
MFA can be enforced at the profile level using the Multi-Factor Authentication for User Interface Logins system permission on each profile:
- Setup → Users → Profiles
- Edit each profile
- Find Multi-Factor Authentication for User Interface Logins in the System Permissions section and check it
- Save – all users with this profile are required to register an MFA method at their next login
User MFA Registration
When a user attempts to log in to a Salesforce org with MFA enforced and has not yet registered an MFA method:
- Salesforce prompts them to register a verification method
- The user selects their preferred method (Salesforce Authenticator is presented first as the recommended option)
- They follow the registration flow for their chosen method
- After registration, they complete the current login with the new MFA method
- On subsequent logins, Salesforce remembers the registered device and prompts for MFA each time (or uses a trusted device period if configured)
MFA and SSO: How They Interact
For organisations using Single Sign-On (SSO) with an identity provider (Okta, Azure AD, Ping Identity, Google Workspace):
- Users authenticate at the IdP, not directly at Salesforce
- The MFA requirement is satisfied at the IdP level – if the IdP enforces MFA (e.g., Okta MFA, Azure AD Conditional Access with MFA), Salesforce’s MFA requirement is met
- Salesforce admins must verify that their IdP’s MFA is configured and enforced for the Salesforce application – do not assume IdP MFA is active without confirming it in the IdP configuration
- SSO users who bypass the IdP and try to log in directly to Salesforce with Salesforce credentials are still subject to Salesforce’s MFA requirement – SSO organisations should typically disable Salesforce-password login for SSO users to prevent this bypass
Exemptions and Edge Cases
- API users: the MFA requirement applies to user interface logins, not to API-only access (Connected App OAuth tokens). Dedicated integration users who only access Salesforce via API do not require MFA on their account.
- Guest Users: Experience Cloud Guest User profiles (unauthenticated portal visitors) are exempt from MFA
- Named credentials and integration users: service accounts used for server-to-server integrations via Named Credentials are exempt if they do not have user interface login access
Managing Lost MFA Devices
When a user loses their phone or cannot access their registered MFA method – new phone, broken phone, deleted authenticator app – a Salesforce admin can reset the user’s MFA registration:
- Setup → Users → Users
- Find the user and click their name
- In the User Detail section, click Disconnect next to the registered verification method, or use Reset Authentication
- The user will be prompted to register a new MFA method at their next login
Organisations with frequent MFA resets should consider an MFA self-service recovery flow (available through Okta, Azure AD, or identity verification questions as secondary recovery options).
Is Salesforce easy to learn for beginners?
Salesforce has a learning curve, but its official free training platform Salesforce Trailhead provides structured paths from beginner to advanced. Most users handle day-to-day tasks within 2-4 weeks. Admin and developer skills take 3-6 months to develop proficiently.
What are the biggest Salesforce mistakes to avoid?
The most common mistakes are over-customizing before you understand your process, skipping user training, importing dirty data without cleansing it first, and not establishing naming conventions. Avoid those four and your implementation will be far more successful.
How often does Salesforce release new features?
Salesforce releases major updates three times per year in Spring, Summer, and Winter releases. Features are previewed in sandbox environments 4-6 weeks before each release so admins can test before go-live.
Does Salesforce offer customer support?
Yes. Support is available via chat, email, and phone depending on your plan tier. Enterprise plans include dedicated customer success managers. The Salesforce Trailblazer Community also provides extensive peer and official support.
Can Salesforce integrate with other business tools?
Yes. Salesforce AppExchange offers 7,000+ apps. Common integrations include Slack, DocuSign, Zoom, and ERP systems via MuleSoft.
The best MFA rollout is the one that improves security without creating avoidable friction. If the process is confusing, people will find ways around it.
Common Problems and Fixes
Problem: Getting Your Team to Consistently Use Salesforce
Adoption gaps occur when teams revert to old habits after initial training. Fix: Identify the 2-3 daily workflows where Salesforce adds the most value for your specific role. Focus training on those workflows first. Use Salesforce in-app guidance to provide contextual help at the moment of need, rather than relying solely on one-time classroom sessions.
Problem: CRM Data Quality Degrading Over Time
CRM data decays at approximately 30% per year as contacts change roles and companies. Fix: Schedule a quarterly data quality audit. Use Salesforce deduplication tools to merge duplicate records. Establish data entry standards enforced through validation rules. Consider a data enrichment tool like Clearbit or ZoomInfo to update stale records automatically.
Problem: Salesforce Reports Not Matching Actual Business Results
Reports are only as accurate as the data entered. Discrepancies between CRM reports and actual revenue point to data entry gaps. Fix: Audit closed-won records against actual invoices monthly. Make CRM data the source of truth for commission calculations so reps have a direct incentive to enter accurate data.