Skip to main content
Groups* MFA - Getting Started *
Featured group

* MFA - Getting Started *

Welcome! This group is dedicated to helping you protect Salesforce account access with Multi-Factor Authentication (also known as MFA, and formerly called Two-Factor Authentication or 2FA). Join the conversation here to ask questions, get answers, learn best practices, and share your experiences. --------------------------------------- This group is maintained and moderated by Salesforce employees. The content received in this group falls under the official Forward-Looking Statement: http://investor.salesforce.com/about-us/investor/forward-looking-statements/default.aspx
Ask a question...
Ayu P
May 21, 5:05 AM
We use SSO, is there any changes to be done at Salesforce side to meet ACR/AMR requirement ? The SAML shows it as weak.

Received an security notification from Salesforce regarding Phishing-Resistant MFA for Privileged users. We use Entra SSO SAML, the SAML tracer shows weak, is there any configuration changes that needs to be done on Single sign on page in salesforce? I do Know there are some changes to be done on the IDP side but I'm not sure what changes to be made at Salesoforce end to meet ACR/AMR requirement. @* MFA - Getting Started *@* Salesforce Administrators *@* Customer Success *@* Salesforce Developers *

4 answers
  1. Arturas Sedleckas (Girteka)
    May 29, 7:47 AM

    Hi @Ayu P

     

    There might be some changes needed. You need to investigate SAML responses for your users if the needed context is provided. So basically only IdP needs to provide valid context to Salesforce. Plese see bellow:  

     

    Admin Users with UI logins: 

    They must comply with Phishing Resistant MFA, meaning when loging in with SSO in SAML response any of this values should be present: cert, fido, fido2, fpt, hwk, iris, pin, pki, pop, retina, sc, Smartcard, swk, TLSClient, user, vbm, wia, X509. 

      

    Privileged Users (with Modify All Data, View All Data, Customize Application, Author Apex permissions) with UI logins: 

    They must comply with Phishing Resistant MFA meaning when loging in with SSO in SAML response any of this values should be present: cert, fido, fido2, fpt, hwk, iris, pin, pki, pop, retina, sc, Smartcard, swk, TLSClient, user, vbm, wia, X509. 

      

    Integration Users 

    All Integration Users must use API Only User to bypass this requirement (User, not the connected app) if someone is actually loging in. If they don't have it, they must comply with Phishing Resistant MFA meaning when loging in with SSO in SAML response any of this values should be present: cert, fido, fido2, fpt, hwk, iris, pin, pki, pop, retina, sc, Smartcard, swk, TLSClient, user, vbm, wia, X509. If no logins are performed (you can check such integration users login history), then no impact should be visible on them.  

     

    To check what values in the SAML Response you are receiving with user logins, you can try and use some SAML response analyzer tool, for example I'm using SAML Tracer (chrome extension) 

    https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch?hl=en

     

    Hope this clears things out for you! 

     

    Source:

    https://help.salesforce.com/s/articleView?id=005321563&type=1

Write an answer...
0/9000
Bhavin Patel (Community Experience Manager at Salesforce) posted in Communications & Readiness Connect
May 7, 3:20 PM

*** Important change for: All Core Org Admins & Security Contacts ****** Important change for: All Core Org Admins & Security Contacts ***This update is limited to Salesforce Platform.This update is limited to Salesforce Platform. 

 

In Progress Enhancements: Immediate Action Required

Salesforce is enforcing these controls now. To avoid service disruption, verify your configuration. 

 

 

Upcoming Enhancements: Take Action Now

Detailed enforcement dates for each control are available in the linked resources.

 

  • Phishing-Resistant Multi-Factor Authentication (MFA) for Privileged Users, including Admins: Phishing-resistant MFA will be enforced for System Administrators and users who have certain privileged permissions when they log in to any org, including sandboxes. This requirement applies to direct UI and Single Sign-On (SSO) logins. Learn more about how to set up this feature and the enforcement timeline.
  • MFA for All: MFA will be enforced for all employee license users who log in via the Salesforce UI or Single Sign-On (SSO) to all orgs, including sandboxes. Learn more about how to set up this feature and the enforcement timeline.
  • Step-Up Authentication: Salesforce will enforce identity verification challenges for all users (including those using SSO) when they perform high-sensitivity actions, starting with UI report exports and viewing, and for anomalous behavior while accessing reports. This change applies across all orgs, including sandboxes. To prepare for this change, ensure that your users each have one of the following registered: Salesforce MFA, a current email address, or a mobile phone number. To learn more about how to prepare for this change, see Prepare for the upcoming Step-up Authentication requirements on Report Actions and Prepare for Step-up Authentication in Anomalous Report Export.
  • Upcoming Transaction Security Policy (TSP) Enhancements (Shield & Event Monitoring customers): Salesforce will automatically deploy a default TSP for ReportEvent. When enabled, this policy triggers a step-up authentication challenge for UI report exports that exceed 10,000 records. Additionally, a new "Manage Transaction Security Policy" permission will be required, in addition to the "Customize Application" permission, to manage any TSP. Review and assign this new permission to authorized users before enforcement. Learn more about how to set up this feature and the enforcement timeline.

 

Strongly Recommended but Not Required at This Time

This control is recommended but not mandatory as previously announced.

 

  • IP Address Restriction: Salesforce isn’t enforcing the IP address restrictions in profiles or the “Enforce login IP ranges on every request” session setting at this time. However, we continue to strongly recommend that you adopt IP address restrictions and enable the setting, and we may require that configuration in the future. To learn more about how to configure your IP Allowlist permissions, see Restrict Login IP Addresses in Profiles and Set Trusted IP Ranges for Your Org.
  • Phishing-Resistant MFA for Non-Admin Users: To ensure the highest level of protection against identity-based threats, Salesforce strongly recommends that you implement phishing-resistant MFA for all users. See Prepare for MFA Enforcement for All Employee Users.

 

More Information

Join one of these webinars where Salesforce experts will discuss these changes.

 

12 comments
  1. Rebecca (Becky) Sweetman (XR)
    May 25, 4:05 AM

    @Bhavin Patel

    commenting so I too can be kept in the loop if more webinar options come up. Due to timezone issues I can't always attend so more options would be appreciated.  

     

Write a comment...
0/9000
Gail Flowers
May 14, 9:02 PM
MFA updates for both Admin and Non-Admin users . Are OAuth integrations (Login Type Remote Access 2.0) exempt?

The mandatory MFA updates for both Admin and Non-Admin users states " This requirement applies to direct UI and Single Sign-On (SSO) logins." Does this mean user accounts used in OAuth integrations (Login Type Remote Access 2.0) are exempt from this security update. If not, how does this effect these logins/integrations?

1 answer
Write an answer...
0/9000
Samantha Li (IT Admin at ChinchillaLand Inc)
May 7, 3:56 AM
Question regarding upcoming Phishing-Resistant MFA Enforcement for Privileged Users

Hi community, 

 

The article said user with Modify All Data and View All Data would need to use Phishing-Resistant MFA, I'm just wondering if View All Data on specific object only counts in the requirement or not? Any one knows? 

 

Article:

https://help.salesforce.com/s/articleView?id=005321563&type=1

 

 

Many thanks!

2 answers
  1. Rosie Lewis (SHARE)
    May 13, 8:14 PM

    A follow up to this question. Do you know if it is every View/Modify in the system preferences?

Write an answer...
0/9000
Voonna Meghana (Student at Raghu Engineering College)
Apr 20, 11:02 AM
Do We Need Salesforce MFA if MFA Is Already Enforced via Entra ID (SSO)?

With MFA becoming mandatory starting June 2026 for both sandbox and production environments, I have a question regarding our current setup. 

 

At present, users log in to Salesforce via SSO using Microsoft accounts (Azure/Entra ID), and MFA is already enforced at the identity provider level. Similarly, access to Azure DevOps (ADO) is also managed through Entra ID, where MFA is enforced. 

 

Given this setup, is it still necessary to enable Salesforce-native MFA for users, or is enforcing MFA through the identity provider (Entra ID) sufficient to meet the requirement? 

 

Appreciate any guidance or clarification on this.

1 answer
  1. Sushil Kumar (UKG) Forum Ambassador
    Apr 20, 11:39 AM
    I think it’s been more than a year since SF started enforcing MFA. For SSO, they rely on your identity provider to provide MFA. See FAQ, there is one SSO related clarification- https://help.salesforce.com/s/articleView?id=000396727&language=en_US&type=1
Write an answer...
0/9000
Abhijeet Budke
Apr 2, 5:06 AM
Verify MFA in Salesforce for upcoming Security Control ( June 2026 )

We have OKTA enabled SSO ( ID Initiated) for our Salesforce Production org only. We are planning to implement for our non prod org. For user experience, we are getting push notification through OKTA and then user able to login in to Salesforce. As SSO was implemented long back, we want to know with upcoming security checks ( June 2026) our current configuration is compliant. What is best way to verify ?

1 answer
  1. Deepak Sachdeva (Nubys Tech)
    Apr 2, 5:27 AM

    Hi @Abhijeet Budke

     

     

    Since we are using OKTA SSO with push-based MFA, Salesforce MFA compliance depends on whether the MFA challenge is enforced at the IdP and correctly passed in the SAML assertion. The best way to verify is by checking Login History for the “Authentication Method Reference” field showing “mfa”. Additionally, validate OKTA sign-on policies to ensure MFA is enforced for all users and not bypassed. We should also test in non-production orgs and use Salesforce’s MFA Assistant to confirm compliance ahead of the June 2026 security checks  

    If it works for you, feel free to mark it as the best answer. 

Write an answer...
0/9000
Pranav Burhade
Jan 29, 11:46 AM
MFA bypass on salesforce site if already validated MFA on IDP side

So, we received information that Salesforce is going to enforce MFA on each SSO login, as mentioned in the following documentation: 

 

https://help.salesforce.com/s/articleView?id=005237070&type=1&utm_source=techcomms&utm_medium=email&utm_campaign=FY26_Core_4097908

As described in this document, we enabled MFA using the “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” option under Setup → Identity Verification.

We are sending the following AuthnStatement in the SAML response:

  <saml:AuthnStatement AuthnInstant="2026-01-29T10:11:46.404Z"
                             SessionIndex="e19ce28a63754b40a9361c98504d8d1d"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>

However, Salesforce is still prompting users for MFA after SSO login.

Is there anything else that needs to be configured on the Salesforce side to bypass MFA, considering that MFA is already being verified at our IdP?

Thanks in advance.

8 answers
  1. Chun Wei Lee (Seagate)
    Mar 15, 3:30 PM

    If you are using custom SAML SSO, then you can add additinoal attribute "AMR " to your SAML response with suggested value in the document "Changes to Device Activation for Single Sign-On (SSO) Logins" (refer to 1st table , row "SSO Identity Provider (IdP) Secure Authentication"

Write an answer...
0/9000
Mille Bonekamp (Application Manager at IXON)
Feb 2, 1:48 PM
Steps for device authentication

Hi all,  

 

I'm having some trouble wrapping my head around this MFA authentication subject. I need your help! Since today my users keep having to authenticate their logins using an authenticator app. I've been reading up and evidently my predecessor has only set up part of the solution.  

 

We have the following:  

 

- SSO setup with a Google certificate 

- Users can log in via Google SSO or their username and password  

- MFA is enabled in our Google accounts via 2FA.  

 

What exactly do I need to check or setup for my users to keep using the Google SSO login variant?  

There is so much information available I can't make out what's what...  

 

Federation ID's are filled on our Salesforce users, but some of the users still need to re-enter a verification a few times a day.  

 

Thanks in advance for all your help! 

4 answers
Write an answer...
0/9000
Eko T (株式会社ハイシンカーズ)
Feb 8, 10:50 PM
How to Cancel MFA Authentication for General Users

I want to cancel or disable MFA authentication for users in my store profile. 

I've tried various things but I can't seem to do it. 

What should I do?(The following has been cancelled)Shouldn't MFA authentication for  general users be impossible to cancel? 

 Waive Multi-Factor Authentication for Exempt  

 Require multi-factor authentication (MFA) for all direct UI logins to your Salesf  

 Show all verification method registration options instead of starting with Salesforce Authenticator  

 Require identity verification during multi-factor authentication (MFA) registration 

1 answer
  1. Eric Burté (DEVOTEAM) Forum Ambassador
    Feb 8, 11:07 PM

    Hello @Eko T, you may need to 

    - disconnect MFA for already registed users : 

    https://help.salesforce.com/s/articleView?id=xcloud.disconnect_salesforce_authenticator_v2_or_later.htm&type=5

    - make some specific users not to need MFA registration : 

    https://help.salesforce.com/s/articleView?id=xcloud.security_mfa_exclude_exempt_users.htm&type=5

    Eric

Write an answer...
0/9000
Erika Nelson Fish
Jun 8, 2022, 12:37 AM
Where is "Waive MFA requirement" user permission?

Hi - In our Sandbox (running Summer '22) Session Settings there is an info pop-up that references the user permission "Waive MFA for exempt users". It sounds like a good idea to assign to our External Identity users to ensure that MFA isn't required when Salesforce eventually enforces MFA globally. (Note: I do understand that MFA is not required for external users, I just want to be extra cautious.)

 

Does anyone know where this "Waive MFA" permission is? I assume it's Summer '22, but I can't find it in our Sandbox where I expected in either Sessions Settings or in Permission Sets-->System Permissions. Thank you!

Where is

16 answers
  1. Erika Nelson Fish
    Jun 13, 2022, 4:20 PM

    Good news: Our production was upgraded to Summer '22 over the weekend and I now see "Waive MFA for Exempt Users" as an option in the System Permissions of Permission Sets! 

     

    I asked the question initially because I didn't see this in the Sandbox Summer '22 upgrade. Looks like it's GA for production now. Thanks for the responses, Mohit! 

Write an answer...
0/9000