Given that this Change Takes Effect in - Sandboxes: Starting June 22, 2026, staggered over approximately 7 days Production: Starting July 1, 2026, staggered over approximately 30 days We are in the process of identifying the best way to implement this for our org. We use SSO to login to salesforce alongwith Microsoft Entra ID. However, we have been advised by SF Support that this alone does not qualify as Phishing Resistant MFA and have been suggested to use Windows Hello for laptop/desktop admin logins. However, this may not work for SF Mobile App logins. There is a lot of uncertainity in this topic. We were advised to enable Setup → Identity Verification → Built-in Authenticators will make Built-in Authenticators available for both desktop/laptop and supported mobile login experiences. For laptops/desktops: > Windows Hello for Business is fully supported and compatible with Salesforce Built-in Authenticators. > Your IT team’s Windows Hello setup for admin users aligns well with the phishing-resistant MFA requirement. For mobile devices: > Face ID, Touch ID, and Android biometrics can also be used as Built-in Authenticators. However, once Built-in Authenticators are enabled in the org, the option becomes available for all users and not only privileged users/admins and there seems to be no way available now to currently one enable it for admins. This would result in enabling phishing resistant MFA for all users across the org. We are a bit clueless about how to proceed. Has anyone implemented it successfully and can guide, that would be very helpful. Thanks in advance.
I have had a few support tickets opened for all these changes because documentation is so poor. I was told that after you enable Identity Verification > Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello, you then go to your own Settings > Advanced User Details then scroll down to Built-in Authenticators to add whatever you will be using.
Then once you authenticate with MFA again, it will ask you to Register a Passkey.
Except it did not give me the option to select Face ID, which is what I set up. It just asked me if I wanted to save to Google Password Manager but if I select Save another way, I also get Windows Hello. That's it. Once I selected Google Password Manager, although my company uses 1Password, I then have to enter my windows passcode and I am in.
Doesn't make any sense. How is Google Password Manager an excepted method?
