Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

What is the Multi-Factor Authenticator, and how does it work?

Beginning February 1, 2022, Salesforce will require users to use the Multi Factor Authenticator (MFA) in order to access Salesforce products. 

All internal users who log in to Salesforce products through the user interface must use MFA for every login. 

MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. 

By tying user access to multiple, different types of authentication factors, it’s much harder for a bad actor to access your Salesforce environment. For example, even if a user’s password is stolen, the odds are very low that an attacker will also be able to guess or hack a code from the user’s authentication app.


What's the difference between the MFA and 2FA?

MFA and 2FA both protect against unauthorized access by requiring a user to provide multiple authentication factors to prove their identity. The only difference between them is the number of factors that are needed to log in. MFA requires two or more factors, providing options for many combinations of authentication mechanisms. 2FA, on the other hand, is a subset of MFA that requires two factors only. One factor is something the user knows, such as their username and password combination. Other factors are verification methods that the user has in their possession, such as an authenticator app or security key. 

By tying user access to multiple, different types of authentication factors, it’s much harder for a bad actor to access your Salesforce environment. For example, even if a user’s password is stolen, the odds are very low that an attacker will also be able to guess or hack a code from the user’s authentication app.


Which verification methods satisfy the MFA requirement?

Salesforce Authenticator App as well as Microsoft Authenticator are supported method for the MFA functionality. 

Salesforce encourages users to register multiple verification methods, so they have a backup in case they forget or lose their primary method.

If a user sets up several verification methods, they're automatically prompted to provide the highest-priority method when they log in. Salesforce uses this order of precedence for verification methods when logging in with MFA:

  • Salesforce Authenticator

  • Built-in authenticators

  • Security keys

  • Third-party time-based one-time passcode (TOTP) authenticator apps

After MFA is enabled for user interface logins, each user must have at least one registered verification method before they can log in. The registration process connects a method to the user's Salesforce account. Users can register methods at any time. If a user doesn't have a method ready by the time MFA is enabled, they're automatically prompted to register one the next time they log in. On-screen prompts guide users through the process.

For all subsequent logins, the login process prompts users to supply a registered method in addition to their username and password.

If a user loses or forgets their mobile device or security key, Salesforce admins can generate a temporary verification code that allows the user to log in to their account. The code can be used multiple times until it expires.

What is Salesforce Authenticator?

The Salesforce Authenticator mobile app is a strong verification method that can be used as a second factor for MFA logins. The app is free and simple to use, minimizing the impact of MFA on the user experience. It is available on both App Store and Google Play Store.

Salesforce Authenticator makes the extra MFA authentication step easy because the app automatically integrates into your current Salesforce login process.

How to login?

  • From browser, insert username and password as usual (screenshot 1)

  • As the MFA is enabled, Salesforce will ask to open the App in the mobile and click on “Add Account”

After a user enters their username and password, the app sends a notification to the user's mobile device. The user taps the notification to open Salesforce Authenticator, verifies that the login request is coming from them, and then they’re logged in. For more information, see the Introduction to Salesforce Authenticator video.

What are third-party TOTP authenticator apps (Microsoft Authenticator)?

All the Salesforce products that have MFA functionality support the use of third-party authenticator apps as verification methods for MFA logins. You can use any authenticator app that generates temporary codes based on the OATH time-based one-time password (TOTP) algorithm (RFC 6238). There are many free and paid authenticator apps to choose from. Widely-used options include Microsoft Authenticator.

Is a data connection needed to use a mobile authenticator app? If a user loses their connectivity, can they log in?


The Salesforce Authenticator mobile app requires a data connection to authenticate via push notifications or location-based automated verification. If a user's mobile device is offline, however, users can still authenticate using one of the unique, time-based one-time password (TOTP) codes that the app continually generates. Similarly, third-party TOTP authenticator apps work if a device doesn't have a connection.

How are my users affected when we enable MFA?

After MFA is enabled for user interface logins, each user must have at least one registered verification method before they can log in. The registration process connects a method to the user's Salesforce account. Users can register methods at any time. If a user doesn't have a method ready by the time MFA is enabled, they're automatically prompted to register one the next time they log in. On-screen prompts guide users through the process.

For all subsequent logins, the login process prompts users to supply a registered method in addition to their username and password.

If you’re using Salesforce's MFA functionality, users must respond to an MFA challenge each time they log in to a Salesforce product. This applies to all logins, including those due to inactivity and expired sessions. The frequency of MFA challenges can’t be modified.

Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?


To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product. To reduce friction for users, we recommend using Salesforce Authenticator. The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations. Users can set this option for themselves. See Automate Multi-Factor Authentication Logins from a Trusted Location with Salesforce Authenticator in Salesforce Help for details.

Note: FAQ on how MFA works and how it will affect user experience are available at https://help.salesforce.com/s/articleView?id=000352937&type=1

  • No labels