Salesforce Multi-Factor Authentication: Key things to know

From the 1st of February 2022, Salesforce Customers are contractually required to use Multi-Factor Authentication (MFA) to access Salesforce products. Let’s look at some of the key considerations.

Table of Contents

What is MFA?

MFA enhances security by requiring users of a service, such as Salesforce, to provide more than one piece of evidence to confirm their identity to login. A username and password are something you know. If used on its own, it is ‘Single-Factor Authentication’ (SFA). In isolation, this is not particularly secure. What happens if your login details are stolen or guessed?

The difference between SFA and MFA is the number of ‘factors’ required to login. MFA allows ‘multiple’ factors to be used. Factors are commonly divided into three categories:

  • Knowledge: Something you know (e.g. Username and Password)
  • Possession: Something you own (e.g. mobile device with an authenticator app)
  • Inherence: Something unique to you (e.g. fingerprint, iris scanning etc)

Using multiple ‘factors’ makes it harder for unauthorised parties (bad actors) to access your system. A bad actor may have your login details, but they are less likely to have your other ‘factors’ (e.g. your mobile with an authenticator app). As such, login attempts are blocked, keeping your system safer.

Screenshot of the Salesforce Authenticator logo

Why is MFA needed?

It is a simple way to help keep your company’s system safer. Whether for legal, compliance or reputational reasons, preventing unauthorised org access is key. Check out this case study to see why.

MFA for Salesforce

Salesforce refers to security as a ‘partnership’. Keeping an org safe requires Salesforce and the business (admins, developers, and users) to work together. Afterall, Salesforce can secure their servers, but cannot stop a user falling victim to a phishing attack.

Tools provided by Salesforce, such as the Salesforce Authenticator App, are intended to make enabling MFA as easy as possible. However, setup and adoption are up to individual businesses.

What should I do?

Every business is unique. As such, you need to tailor the approach to your business’s needs. For example, let’s say your business has an Identity Provider (IdP) outside of Salesforce with Single Sign-On (SSO) enabled. If your users login to Salesforce via SSO, it is recommended to consider options for MFA within the SSO solution itself. This shows the need to consider your business’s system landscape.

Salesforce provides many resources to help in the ‘Multi-Factor Authentication Assistant’ within setup. This will help guide you through the various considerations to take.

The following resources are particularly useful:


Whilst preparing for MFA, consider the following:

  • Engage your IT and Cyber Security Team early: communication is key
  • Review the Salesforce documentation and your system landscape to understand the options
  • Review how existing processes compare against the MFA FAQ and MFA Requirement Checker
    • Be sure to note the need for ‘strong verification methods’. Check the FAQ to see if any existing verification methods used fulfil Salesforce’s requirements
  • Understand the scope of Salesforce’s MFA requirements. The ‘Scope of the MFA Requirement’ section in the FAQ is particularly helpful for this
  • Identify and help users impacted by MFA changes. This includes System Administrators
  • Preview and test any changes made via Permission Sets and in Sandboxes
  • Use the MFA enforcement as an opportunity to enhance your org’s security
  • Remember February 2022 is the start of the roadmap. Requirements will change over time


Starting on February 1st 2022, Salesforce customers are required to enable MFA to access Salesforce products. This post has outlined what MFA is and why it is needed. It has also shared some of the many resources Salesforce has provided to help with the rollout.

When implementing MFA, review the documentation, consider your business’s needs, system landscape, and engage relevant stakeholders. This will help ensure the rollout is successful.

Bonus Penguin Fact

Did you know that a group of penguins on the land is commonly called a waddle, but in the water is called a raft? 

Want More?

Found this article useful? Why not share!


Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.