Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

What is the Multi-Factor Authenticator, and how does it work?

Beginning February 1, 2022, Salesforce will require users to use the Multi Factor Authenticator (MFA) in order to access Salesforce products. 

All internal users who log in to Salesforce products through the user interface must use MFA for every login. 

MFA is an effective way to increase protection for user accounts against common threats like phishing attacks, credential stuffing, and account takeovers. It adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. 


What's the difference between the MFA and 2FA?

MFA requires two or more factors, providing options for many combinations of authentication mechanisms.

2FA is a subset of MFA that requires two factors only.


Which verification methods satisfy the MFA requirement?

Salesforce Authenticator App as well as Microsoft Authenticator are supported method for the MFA functionality. 

Salesforce encourages users to register multiple verification methods, so they have a backup in case they forget or lose their primary method.

Salesforce uses this order of precedence for verification methods when logging in with MFA:

  • Salesforce Authenticator

  • Built-in authenticators

  • Security keys

  • Third-party time-based one-time passcode (TOTP) authenticator apps

After MFA is enabled for user interface logins, each user must have at least one registered verification method before they can log in.

If a user doesn't have a method ready by the time MFA is enabled, they're automatically prompted to register one the next time they log in. On-screen prompts guide users through the process.

For all subsequent logins, the login process prompts users to supply a registered method in addition to their username and password.

If a user loses or forgets their mobile device or security key, Salesforce admins can generate a temporary verification code that allows the user to log in to their account. The code can be used multiple times until it expires.

What is Salesforce Authenticator?

The Salesforce Authenticator mobile app is a strong verification method that can be used as a second factor for MFA logins. The app is free and simple to use, minimizing the impact of MFA on the user experience. It is available on both App Store and Google Play Store.

Salesforce Authenticator makes the extra MFA authentication step easy because the app automatically integrates into your current Salesforce login process.

How to login?

  • From browser, insert username and password as usual (screenshot 1)

  • As the MFA is enabled, Salesforce will ask to open the App in the mobile and click on “Add Account” (screenshot 2)

  • The Salesforce Authenticator will display a two phrase code

  • Insert the two phrase code when requested in the browser (screenshot 3)

  • The account is now connected

NOTE: this process needs to be done only the first time to connect the accounts to Salesforce Authenticator.

After a user enters their username and password, the app sends a notification to the user's mobile device. The user taps the notification to open Salesforce Authenticator, verifies that the login request is coming from them, and then they’re logged in. For more information, see the Introduction to Salesforce Authenticator video.

What are third-party TOTP authenticator apps (Microsoft Authenticator)?

All the Salesforce products that have MFA functionality support the use of third-party authenticator apps as verification methods for MFA logins. There are many free and paid authenticator apps to choose from. Widely-used options include Microsoft Authenticator.

How to login?

  • Click on “Add Account” from the Microsoft Authenticator App

  • Select the domain (Microsoft Private or Business - Gmail…)

  • A screen to read a QR Code will be displayed

  • From the browser, once logged in with username and password, select the option “Choose another Verification Method” (screenshot 4)

  • The QR Code requested by the App will be displayed. In addition, is asking for a Verification Code (screenshot 5)

  • The account is connected with the Microsoft App and the code can be added.

NOTE: this is requested only on the first login.
The following logins will require a different code.

While the Salesforce Authenticator requires only to accept the access via notification, the Microsoft Authenticator requires to login into the App and insert the code for every login

Can I set up both Salesforce and Microsoft Authenticator App on my account?

Yes. Salesforce suggests to user to set up one or two authenticators on the accounts to safe the login.

Once the user has set up the first one (i.e. Salesforce Authenticator) to connect with Microsoft Authenticator this is the process to follow:

  • click on “My Settings” on the user name (screenshot 6)

  • on the Quick Search Box, type “Advance User Details (screenshot 7)

  • click on “Connect” (screenshot 8)

  • on the next login attempt > select “Choose another Verification Method” > follow the process above

Is a data connection needed to use a mobile authenticator app? If a user loses their connectivity, can they log in?


The Salesforce Authenticator mobile app requires a data connection to authenticate via push notifications or location-based automated verification.

If a user's mobile device is offline, however, users can still authenticate using one of the unique, time-based one-time password (TOTP) codes that the app continually generates.

This can be found under the account name. The App generates a new code every 30 seconds.

Similarly, third-party TOTP authenticator apps work if a device doesn't have a connection.

Can I automate or control how often the extra authentication step is required by Salesforce products to reduce impact to my users?


The frequency of MFA challenges can’t be modified.

To ensure that MFA is providing the intended protection, users must supply a verification method each time they log in directly to a Salesforce product.

To reduce friction for users, we recommend using Salesforce Authenticator.

The app can automate the extra authentication step when a user works from a trusted place, like the office or home — which means users don’t have to touch their phones when they log in from these locations.

To set this option, the user will have to select the option “Add this to a trust location” at the moment the login notification is delivered.

For additional information: Automate Multi-Factor Authentication Logins from a Trusted Location with Salesforce Authenticator

Note: FAQ on how MFA works and how it will affect user experience are available at https://help.salesforce.com/s/articleView?id=000352937&type=1

  • No labels