Get Started with Multi-Factor Authentication
Learning Objectives
In this project, you’ll:
- Configure the session security level for MFA.
- Enable MFA for select users.
- Enable MFA for everyone in your org.
What’s MFA, Anyway?
To keep your Salesforce org secure, users must be able to prove they’re who they say they are. So, to log in, users must provide evidence of their identity. This process is called user authentication. The most common type of evidence is a username-password combination, which represents a single factor of authentication.
With multi-factor authentication, users must provide additional evidence besides their username and password (something they know). This additional verification method must be something the user possesses (such as an authenticator app like Salesforce Authenticator or a security key like YubiKey), or something the user is (such as biometrics via a built-in authenticator like FaceID or Windows Hello).
In today’s cybersecurity environment, one factor isn’t enough to protect online accounts from threats like phishing attacks or credential stuffing. While a strong password is better than a weak one, any password is susceptible to theft and misuse. Requiring another factor adds an extra layer of security for your org. Even if a user’s password is stolen, the odds are very low that an attacker can guess or impersonate a factor that a user physically possesses.
Salesforce believes MFA is a critical component of securing account access. It’s so important that we added a requirement to the Salesforce Main Services Agreement specifying that all users must use MFA when accessing an org’s user interface. The MFA requirement went into effect on February 1, 2022, and Salesforce is auto-enabling and enforcing MFA in 2023. To learn more about these milestones and to get the full details for the requirement, check out the Salesforce Multi-Factor Authentication FAQ.
Follow Along with Trail Together
Want to follow along with an expert as you work through this step? Take a look at this video, part of the Trail Together series.
Project Overview: Launch MFA for Your Org
There are two options for turning on MFA for your Salesforce org.
- Enable MFA on a user-by-user basis. This method is ideal if you want to start with a pilot program and enable MFA for groups of users over time. Staggering your rollout lets you test your implementation and change management materials, and make adjustments as needed.
- Enable MFA for all users at once. With just a few clicks, you can enable MFA for everyone at the same time. Make MFA your org’s official policy, and rest assured that no one falls through the cracks. We recommend taking this step as soon as you’re ready to go all in with MFA for your org.
After completing this Quick Start, you’ll be equipped to implement MFA either way. But before we jump in, there’s a brief step to cover first, regardless of how you decide to enable MFA.
Verify the Session Security Level
Before launching MFA, make sure the right security level is associated with the multi-factor authentication login method. In most production orgs, this setting is already in place. But if it’s not, it’s important to do this step before you set up an MFA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.
- From Setup, enter
Session Settingsin the Quick Find box, then select Session Settings. - Under Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance category.
With the session security level correctly configured, you’re ready to start your MFA journey.
To complete the steps in this project, create a new Trailhead Playground by clicking the Trailhead Playground name below and selecting Create Playground. It typically takes 3–4 minutes for Salesforce to create your Trailhead Playground.
Yes, we really mean a brand-new Trailhead Playground! If you use an existing org or playground, you can run into problems completing the steps.
