December 7, 2021

Get Ready for Multi Factor Authentication (MFA)

EMPAUA Salesforce Partner

According to Salesforce, MFA is going to take effect on February 1, 2022. It will be required for all single-sign-on SSO logins and logins through the user interface, and you can turn it on directly in your Salesforce products or use your SSO provider’s MFA service.

You can find a list of products supported here

Salesforce has a nice MFA assistant available in the setup and step-by-step instructions on your mobile device when you activate MFA. 

1. Create Permission Set

Create a permission set for MFA (with an API name if possible, and if you like your developers) and search in the permission set settings in search box field multifactor and choose Authentication for User Interface Logins permission from the lookup preview window of the search box.

There are multiple MFA related permissions, but the one we are looking for is the User Interface Logins one.

2. Assign Users

Like a regular permission set assignment, assign it to the users who will require MFA to login through UI.

After you enable MFA, users will get a screen prompt when they try to log in after the first time. You can select a verification method and with Salesforce Authenticator you can set up trusted locations to automatically approve your login requests (if you have location services enabled). 

For Salesforce Authenticator, you can enter the two-word phrase that the app generates to add it as a verification method. To add an account, open the Salesforce Authenticator app in your mobile device. Add an Account to generate the two-word phrase keywords.

When a user logs in, they get a push notification on their mobile device. The user taps the notification to open Salesforce Authenticator and sees the following information: 

  • The action that needs to be approved
  • Which user is requesting the action 
  • Which service is requesting the action 
  • What device the user is using 
  • The location from which the request is coming 

You cannot use SMS (Text), phone call and email as alternative verification methods for MFA. As alternatives, you can also use Third-Party authenticator apps and devices (Google Authenticator etc.) and security keys (Google’s Titan Security Key etc.)

MFA Requirements for User Types

MFA Requirements for Login Types and Authentication Methods

MFA Requirements for Types of Orgs and Tenants

List of Products Excluded from MFA

 Salesforce doesn't require MFA for the following on-premises products:

  • MuleSoft Anypoint Platform On-Premises Edition.
  • On-Premises Tableau Server and Tableau Public. In addition, Tableau Desktop, Tableau Prep, Tableau Content Migration Tool (CMT), and Tableau Resource Monitoring Tool (RMT) are excluded, unless connected to Tableau Online.

Why is MFA important?

Cybersecurity is becoming significant every day and there are many threats that can affect users. It’s critical to protect your business and customers according to the industry standards. MFA creates an extra layer of protection against threats like phishing attacks, credential stuffing and account takeovers. MFA is one of the easiest and effective ways to secure your accounts for free.

The reason why it’s called two factor is there is one layer which is the login credentials and the other factor is the verification methods that user has whether it’s by an app or a physical security key. 

One tip for admins that might come in handy is that you can also create reports and dashboards to monitor MFA usage across your org. 

Lightning Login

You can also use Lightning Login to satisfy the MFA requirement. This feature offers password-free access to Salesforce accounts. Lightning Login meets the MFA standard by requiring two authentication factors: Salesforce Authenticator (something a user has) and a PIN or biometric scan on their mobile device (something the user is).

Enable MFA with Session Security Levels

You can also enable MFA using a security level, either standard or high assurance, assigned to a login method in your Salesforce session settings.

Example Scenario:

You configured Facebook and LinkedIn as authentication providers in your site. Many of your site members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring customers to use MFA when they log in with their Facebook account. You want users who log in with their LinkedIn account to be automatically granted high assurance access and bypass MFA.

In the Customer Community User profile, set the session security level required at login to High Assurance. In your session settings, edit the session security levels.

Because you’re requiring MFA with Facebook accounts, make sure that Facebook is in the Standard column. Add Multi-Factor Authentication to the High Assurance column. When users log in with their Facebook account, they’re required to provide a verification method in addition to their username and password. Add LinkedIn to the High Assurance column. When users log in with their LinkedIn account, they’re granted High Assurance access without needing to provide a verification method.

From what I have found, the scratch orgs are not supported, although enabling MFA on DevHubs could be necessary.

There might be additional configuration requirements if you are already using MFA from your SSO provider. There should be additional considerations for API users and some issues reported with using MFA with Salesforce plugin for outlook Be sure to check out the trailblazer community for more updates on this. 

Need more support? 

Usernames and passwords alone don’t provide sufficient safeguards against unauthorized account access like phishing attacks, credential stuffing and account takeovers.

MFA = One factor is something users know. For Salesforce logins, that's a username and password combination. Other factors are verification methods that a user has in their possession, such as a mobile device with an authenticator app installed or a physical security key.

A user enters their username and password, as usual. Then the user is prompted to provide one of the verification.


Salesforce Partner EMPAUA


We create solutions that drive your business success.
Salesforce Partner EMPAUA

Do you need Salesforce support?

Request a Consultation and let our experts advise you.

Want to join the team?

Take a look at our job openings and be part of our mission.

Explore more articles