How To Roll Out Multi-Factor Authentication: Salesforce, Spring '24

How to Roll Out Multi-Factor
Authentication
Salesforce, Spring ’24
Last updated: March 22, 2024

© Copyright 2000–2024 Salesforce, Inc. All rights reserved. Salesforce is a registered trademark of Salesforce, Inc., as are other
names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
How to Roll Out Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

It’s Time for Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Get Ready Phase: Evaluate and Plan Your Multi-Factor Authentication Rollout . . . . . . . . . . . . . 7
Roll Out Phase: Prepare to Launch Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . 27
Manage Phase: Maintain and Enhance Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . 38
Multi-Factor Authentication Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
HOW TO ROLL OUT MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) is one of the simplest, most effective ways you can safeguard user account access. Because MFA is a
critical component of securing account access, Salesforce requires it for all users who log in to the user interface — either directly with
a username and password or via single sign-on (SSO). The contractual requirement to use MFA went into effect on February 1, 2022.
We make it easy with simple, innovative MFA solutions that provide a balance between strong security and user convenience.
Important: For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ. Note that MFA is a
default part of the direct login experience for all production orgs created on or after April 8, 2024 — see this release note for more
information.
As an admin, you are your company’s trusted advisor for all things Salesforce and you help decide how to prepare for and roll out MFA
to your users. This guide walks you through the recommended process, including key steps and best practices.
Note: The focus of this guide is enabling MFA for users who log in directly to your Salesforce products with a username and
password. This content doesn’t apply to setting up MFA for single sign-on (SSO) identity providers, API logins, or for your partners
or customers who engage with you through Salesforce Experience Cloud sites or ecommerce sites.
It’s Time for Multi-Factor Authentication

As security threats grow more common, it's increasingly important to implement strong measures to protect your Salesforce data,
your business, and ultimately, your customers. Usernames and passwords alone are no longer sufficient for guarding against
unauthorized account access. To add another layer of protection against common attacks like phishing, credential stuffing, and
account takeovers, Salesforce requires that all users who log in to your org must do so with multi-factor authentication (MFA). To
help, we have the resources and tools needed to plan and execute a smooth rollout to your Salesforce users.
Get Ready Phase: Evaluate and Plan Your Multi-Factor Authentication Rollout
Kick off your multi-factor authentication (MFA) project with a discovery and planning period. Learn why we require MFA for enhanced
login security, what your options are for verification methods, and how your company benefits from using MFA. Evaluate your
business and user requirements and your implementation options, and make the case to your key stakeholders. Plan your MFA
project, including rollout, change management, and support strategies, so you have a clear path to a successful launch.
Roll Out Phase: Prepare to Launch Multi-Factor Authentication
With your project plan in place and your stakeholders aligned, the next step is doing the work to deliver multi-factor authentication
(MFA) to your Salesforce users. Now is the time to prepare users to log in using MFA, and to work through your implementation and
test plans. Then you’ll be ready to launch MFA. If you’re rolling out gradually to groups of users, repeat some of the activities in this
phase until everyone is using MFA.
Manage Phase: Maintain and Enhance Multi-Factor Authentication
Congratulations, you’ve enabled multi-factor authentication (MFA) for your Salesforce users! But don’t just “set it and forget it.” Make
sure that your project is a success by keeping an eye on how everyone is experiencing MFA. In this phase, measure the effectiveness
of your MFA rollout, and support users with ongoing, day-to-day operations. This is also a good time to look for ways to optimize
your MFA implementation, as well as your overall security posture.
SEE ALSO:
Products That Support Multi-Factor Authentication
1
How to Roll Out Multi-Factor Authentication It’s Time for Multi-Factor Authentication

As security threats grow more common, it's increasingly important to implement strong measures to protect your Salesforce data, your
business, and ultimately, your customers. Usernames and passwords alone are no longer sufficient for guarding against unauthorized
account access. To add another layer of protection against common attacks like phishing, credential stuffing, and account takeovers,
Salesforce requires that all users who log in to your org must do so with multi-factor authentication (MFA). To help, we have the resources
and tools needed to plan and execute a smooth rollout to your Salesforce users.
Important: To help prevent unauthorized access to Salesforce accounts, customers are required to use multi-factor authentication
(MFA) when logging in — either directly with a username and password or via single sign-on (SSO). See the Salesforce Multi-Factor
Authentication FAQ for full details about this contractual requirement.
MFA is a default part of the direct login experience for all production orgs created on or after April 8, 2024. See this release note
for more information.
A Framework for Rolling Out and Supporting MFA

Based on our experiences and those of customers who’ve already implemented multi-factor authentication (MFA) for Salesforce,
we defined a path that you can follow for your own journey. The path is a framework with best practices, things to consider, and
practical advice for rolling out MFA, and ensuring users adopt it. Use the steps that make sense for your company and your Salesforce
products.
Meet the Multi-Factor Authentication Assistant
Looking for help rolling out multi-factor authentication (MFA) to your Salesforce users? Meet the Multi-Factor Authentication Assistant,
your central hub for all the recommended activities, tools, and resources for a successful project.
Get Customizable Templates With the MFA Rollout Pack
To help jump-start your multi-factor authentication (MFA) project, we provide a Rollout Pack that’s brimming with change management
guidance and customizable templates. Use the pack to plan your MFA implementation and prepare your users.
SEE ALSO:
Learn About Multi-Factor Authentication

Based on our experiences and those of customers who’ve already implemented multi-factor authentication (MFA) for Salesforce, we
defined a path that you can follow for your own journey. The path is a framework with best practices, things to consider, and practical
advice for rolling out MFA, and ensuring users adopt it. Use the steps that make sense for your company and your Salesforce products.
For easier manageability and a faster transition, we recommend approaching things in three phases. The phases break down into a few
stages, each with a set of recommended activities.
Get Ready • Learn why Salesforce requires MFA for enhanced login security, what your options for enabling it are,
and how your company benefits.
• Evaluate your business and user requirements and align them with the MFA options for your Salesforce
products to start defining your implementation strategy.
• Plan your MFA implementation, including rollout, change management, and support strategies, so
that you’re ready to hit the ground running.
2
How to Roll Out Multi-Factor Authentication Meet the Multi-Factor Authentication Assistant
Roll Out • Prepare users for the MFA rollout by putting your change management strategy into action.
• Implement MFA by kicking off your implementation and test plan, including establishing your MFA
support processes and team.
• Launch MFA to users on your scheduled go-live date.
Manage • Measure the effectiveness of your MFA rollout through user feedback and metrics.
• Support users with ongoing, day-to-day operations.
• Optimize your MFA implementation and your overall security posture.
Depending on the size of your organization, you may be working with a change management team or have a project manager assigned
to this rollout. Or, maybe you’re the one charged with organizing and executing the project from start to finish. However the work gets
divided up, use this guide to you help along the way.
Meet the Multi-Factor Authentication Assistant

Looking for help rolling out multi-factor authentication (MFA) to your Salesforce users? Meet the
EDITIONS
Multi-Factor Authentication Assistant, your central hub for all the recommended activities, tools,
and resources for a successful project. Available in: Lightning
The Multi-Factor Authentication Assistant is available from Setup in Lightning Experience. Experience only
Available in: Essentials,

Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To use the Multi-Factor

Authentication Assistant:
• View Setup and
Configuration
AND
Customize Application
3
The Multi-Factor Authentication Assistant guides you through each phase and stage on the path to MFA.
• Get Ready phase: Kick off your multi-factor authentication (MFA) project with a discovery and planning period.
• Roll Out phase: Prepare your users for MFA with change management activities, work through your implementation and test plans,
then go live.
• Manage phase: Measure the effectiveness of your MFA rollout, support users with ongoing, day-to-day operations, and optimize
your MFA implementation and overall security posture.
In each phase, you get support with step-by-step instructions and resources. Activities are grouped into a series of stages that keep you
organized and help you track your progress. To see the recommended activities in a stage, click the icon.
4
The Assistant helps you keep track of the work you’ve finished and where you’ve left off by allowing you to check off steps that you’ve
completed (1). The Assistant shows when you’ve completed all steps in a stage (2).
5
How to Roll Out Multi-Factor Authentication Get Customizable Templates With the MFA Rollout Pack
The Multi-Factor Authentication Assistant is designed to move you quickly and efficiently through the process. But you can tackle activities
in whatever order makes sense for your org. And you can skip any steps that aren’t relevant or don’t add value to your project. If you
take an iterative approach to rolling out MFA, you can repeat activities until you’ve enabled all users.
SEE ALSO:

To help jump-start your multi-factor authentication (MFA) project, we provide a Rollout Pack that’s brimming with change management
guidance and customizable templates. Use the pack to plan your MFA implementation and prepare your users.
6
How to Roll Out Multi-Factor Authentication Get Ready Phase: Evaluate and Plan Your Multi-Factor
Authentication Rollout
What’s included:
• Presentation deck, to help make the case for MFA and get alignment with your stakeholders and leadership.
• User inventory template and guidance, for auditing the permissions assigned to your users and identifying the users who should
get MFA first.
• Guide to developing a change management strategy plus supporting templates.
• Sample email drip campaign, for raising awareness about the coming launch and promoting the value of MFA.
• User training deck, for training your users on what MFA is, how it works, and how to register and log in with supported verification
methods.
• Onboarding guides that show users the steps for registering and logging in with each of the MFA verification methods that are
supported by Salesforce products.
The pack also includes resources for planning your rollout, including a checklist to keep you on track, a project schedule template, and
a simple test plan template.
The MFA Rollout Pack is a zip file that you can download here.
Get Ready Phase: Evaluate and Plan Your Multi-Factor Authentication

Rollout
Kick off your multi-factor authentication (MFA) project with a discovery and planning period. Learn why we require MFA for enhanced
login security, what your options are for verification methods, and how your company benefits from using MFA. Evaluate your business
and user requirements and your implementation options, and make the case to your key stakeholders. Plan your MFA project, including
rollout, change management, and support strategies, so you have a clear path to a successful launch.

Multi-factor authentication (MFA) enhances the security of your login process by requiring users to enter two or more pieces of
evidence—or factors—to prove that they’re who they say they are. One factor is something the user knows, such as their username
and password combination. Other factors are verification methods that the user has, such as an authenticator app, a physical security
key, or a built-in authenticator. By tying user access to multiple, different types of factors, it’s harder for a bad actor to gain entry to
your Salesforce environment. Even if a user’s password is compromised, the odds are low that an attacker can guess or impersonate
a factor that a user physically possesses.
Evaluate Options and Requirements for Multi-Factor Authentication
The steps for enabling multi-factor authentication (MFA) are simple and straightforward. Before diving in, though, take some time
to understand your existing authentication systems and to identify your requirements for an MFA solution. By starting with an
evaluation period, you can collect the data needed to align with your leadership and develop a project plan.
Plan Your Multi-Factor Authentication Rollout
After completing an evaluation period to understand your options and requirements for multi-factor authentication (MFA), you’re
ready to develop your project plan.
7
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication

Multi-factor authentication (MFA) enhances the security of your login process by requiring users to enter two or more pieces of
evidence—or factors—to prove that they’re who they say they are. One factor is something the user knows, such as their username and
password combination. Other factors are verification methods that the user has, such as an authenticator app, a physical security key,
or a built-in authenticator. By tying user access to multiple, different types of factors, it’s harder for a bad actor to gain entry to your
Salesforce environment. Even if a user’s password is compromised, the odds are low that an attacker can guess or impersonate a factor
that a user physically possesses.
How MFA Works

MFA adds an extra authentication step to your Salesforce login process. The user enters their username and password, as usual. Then
the user is prompted to provide a strong verification method. Check out this video to see how MFA works.
Watch a video
To see the types of methods that are supported for your Salesforce product, see Verification Methods for Multi-Factor Authentication
You can deploy as many types of methods as needed to meet your business and users’ requirements.
Each user must spend a few minutes registering at least one verification method so it’s connected to their Salesforce account. Users can
register methods at any time. If a user doesn’t have a method ready by the time MFA is enabled, they’re automatically prompted to
register one the next time they log in. On-screen prompts guide users through the process.
Tip: Encourage users to register multiple verification methods to avoid the risk of getting locked out of Salesforce. If a user forgets
or loses one method, they have other options to fall back on.
SEE ALSO:
Multi-Factor Authentication Quick Guide for Admins
Multi-Factor Authentication FAQ
Trailblazer Community Group: MFA - Getting Started

These Salesforce products include multi-factor authentication (MFA) support.
• All products built on the Salesforce Platform, including:
– Sales Cloud
– Service Cloud
– Analytics Cloud
– B2B Commerce Cloud
– Experience Cloud
– Industries products (Consumer Goods Cloud, Education Cloud, Financial Services Cloud, Government Cloud, Health Cloud,
Manufacturing Cloud, Nonprofit Cloud, Philanthropy Cloud)
– Marketing Cloud–Audience Studio (formerly DMP)
– Marketing Cloud–Account Engagement
– Platform
8
– Salesforce Essentials
– Salesforce Field Service
– Partner solutions
• B2C Commerce Cloud

• Heroku
• Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
• Marketing Cloud Intelligence (powered by Datorama)
• Marketing Cloud Social
• MuleSoft Anypoint Platform
• Quip products
• Tableau Cloud
Verification Methods for Multi-Factor Authentication

When multi-factor authentication (MFA) is enabled for your Salesforce products, the login process requires users to provide a verification
method in addition to their username and password. The MFA service provided by Salesforce allows the use of strong verification methods
only — that is, methods that provide high assurance that the user is who they say they are. Salesforce products support several types
of strong verification methods, including the Salesforce Authenticator mobile app and third-party authenticator apps. Some products
also support the use of physical security keys and built-in authenticators. For your MFA implementation, choose the option or options
that work best for your business and user needs.
Important: To satisfy the contractual MFA requirement that went into effect on February 1, 2022, users can log in with any of
the strong verification methods supported by your Salesforce products.
Salesforce MFA doesn’t allow the use of security questions or one-time passcodes delivered via email, SMS text messages, or phone
calls. This restriction is due to the inherent vulnerabilities with these methods. Email credentials can be compromised and mobile
phone numbers can be intercepted via SIM swapping attacks or hacked mobile device accounts.
If you have users who access Salesforce products with single sign-on (SSO), your SSO provider’s MFA services may support methods
that aren’t discussed here. See the MFA FAQ for guidance on verification methods that satisfy the MFA requirement.
Let’s look at the benefits and considerations for each type of verification method supported by Salesforce products.
Third-Party Authenticator * *
Salesforce Authenticator Security Keys Built-In Authenticators
Apps
A smart and simple mobile app Apps generate unique, Physical devices that use Verify identity with fingerprint,
that users can easily connect to temporary verification codes public-key cryptography. iris, or facial recognition scan, or
their Salesforce accounts. based on the OATH TOTP a PIN or password.
algorithm (specified in RFC
6238).
Form Factor: Form Factor: Form Factor: Form Factor:

Mobile app for iOS and Android Apps available for multiple USB, Lightning, and NFC devices Available via a device’s built-in
operating systems that support the WebAuthn and authenticator service (Windows
U2F standards Hello™, Touch ID®, Face ID®, and
so forth)
9
Third-Party Authenticator * *
Salesforce Authenticator Security Keys Built-In Authenticators
Apps
User Experience: User Experience: User Experience: User Experience:
*
• Delivers push notifications • A wide variety of apps to • Fast and easy to use. • Fast and easy to use.
to users’ phones for fast choose from. • Recognizes and denies • No apps required.
access. • Connectivity isn’t required. fraudulent requests. • Strong public-key
• See real-time details to • Connectivity isn’t required. cryptography that’s unique
confirm request validity. to the user’s account.
• No batteries needed.
• Deny fraudulent requests
with a tap.
• Automates authentication
from trusted locations
• Generates TOTP codes if
connectivity isn’t available.
Considerations: Considerations: Considerations: Considerations:

• Requires a mobile device. • Requires a mobile device. • Requires browser support • Device, operating system,
• Typing errors possible when (limited for U2F). and browser must support
manually entering codes. • Users could leave key FIDO2 WebAuthn standard.
• Invalid codes possible if unattended or plugged in • Built-in authenticator service
mobile device clock gets out all the time. must be enabled and set up.
of sync with Salesforce. • Operational overhead for • Tied to a single device.
purchasing, stocking, and • Supported scanner required
distributing devices to users. for biometric identification.
Cost: Free Cost: Free and paid options Cost: Starts around $20 Cost: Starts around $25 for
biometric peripherals, if needed
Learn More Learn More Learn More Learn More
*
Notes:
Security keys that use the NFC form factor aren’t supported in products built on the Salesforce Platform.
WebAuthn-compatible security keys aren’t supported in non-Chromium versions of the Edge browser.
If you use a U2F security key with products built on the Salesforce Platform, see Update U2F Security Keys to Support WebAuthn Authentication to ensure your key continues to
work.
Built-in authenticators are supported in all products built on the Salesforce Platform, Heroku, Marketing Cloud Intelligence, MuleSoft Anypoint Platform, and Tableau Cloud.
If you can’t use a mobile authenticator app, a TOTP desktop authenticator app or browser extension is another option.
Third-Party Authenticator Apps

Salesforce multi-factor authentication (MFA) supports the use of third-party authenticator apps that generate time-based one-time
password (TOTP) codes. There are many apps available, including free versions. Some popular options include: Google Authenticator™,
Microsoft Authenticator™, and Authy™.
10
Salesforce MFA Requirements for Third-Party Authenticator Apps

• Third-party authenticator apps must use the OATH time-based one-time password (TOTP) algorithm (RFC 6238).
• All Salesforce products support third-party TOTP authenticator apps.
Note: Considering a TOTP desktop app or browser extensions? We recommend using mobile authenticator apps, physical security
keys, or built-in authenticators instead. Why? Because these types of verification methods exist separately from a user's laptop or
workstation. That way, if a bad actor manages to gain access to a user's computer, the user's second factor isn't also compromised.
However, if a desktop app or browser extension is the only option that works for your users, you can satisfy the MFA requirement
with these types of methods.
How Third-Party Authenticator Apps Work When Logging In

To log in using this type of verification method, the user gets a code from a TOTP authenticator app. Then they enter that code during
the Salesforce login process.
Tip: If users have already installed a TOTP app for personal or business use, they can set up the same app for Salesforce logins.
Behind the Scenes

TOTP authenticator apps generate temporary codes on the basis of a secret key (known only to the user and the service, such as Salesforce)
and the current time. A code is valid for 30 seconds and then a new one is generated.
TOTP authenticator apps can generate codes even if the user’s phone doesn’t have a data or internet connection.
SEE ALSO:
Register a Third-Party Authenticator App as an Identity Verification Method
Security Keys
Security keys are small physical devices that are easy to use for multi-factor authentication (MFA) because there’s nothing to install and
no codes to enter. This type of method is a great option if users don’t have a mobile device or if phones aren’t allowed where your users
work. Security keys require a supported browser to act as an intermediary between the key and your Salesforce product. Popular security
keys include the YubiKey™ from Yubico™ and the Titan™ Security Key from Google™.
Salesforce MFA Requirements for Security Keys
Salesforce products that support security keys: All products
Supported form factors: USB-A, USB-C, Lightning, NFC*
Supported security standards: FIDO2 WebAuthn and FIDO U2F
Supported browsers for WebAuthn keys: Chrome, Edge Chromium, Firefox, Safari
Supported browsers for U2F keys: Chrome (version 41 or later), Edge Chromium
How Security Keys Work When Logging In

Security keys make MFA logins fast. A user simply
• Connects a key to their computer.
11
• Presses the key’s button to verify their identity.
Behind the Scenes

The WebAuthn and U2F standards use strong public-key cryptography to protect users from man-in-the-middle attacks and malware.
To learn more about what’s happening behind the scenes with security keys, check out the WebAuthn Guide or the FIDO U2F site.
Considerations
*
NFC devices aren’t supported in products built on the Salesforce Platform.
SEE ALSO:
Register a Security Key as an Identity Verification Method
Summer ’23 Release Notes: Update U2F Security Keys to Support WebAuthn Authentication
Built-In Authenticators
Multi-factor authentication (MFA) verification is easy with a built-in authenticator service such as Windows Hello™, Touch ID®, or Face
ID®. Users can quickly verify their identity with a fingerprint, iris, or facial recognition scan (or in some cases, with a PIN or password that
the user sets up in their device’s operating system). This type of verification method streamlines the MFA requirement because it relies
on built-in mechanisms rather than users needing a separate authenticator app or physical security key.
Tip: Built-in authenticators are a great option if using a mobile authenticator app isn’t viable. For example, consider this option
for users who don’t have a company-provided mobile device. And built-in authenticators can make sense for PCI-compliant
environments or situations where a user’s work device doesn’t have ports for a physical security key.
Salesforce MFA Requirements for Built-In Authenticators

Important: Built-in authenticators are currently supported in these products only: All products built on the Salesforce Platform,
Heroku, Marketing Cloud Intelligence, MuleSoft Anypoint Platform, and Tableau Cloud.
• A user’s device, operating system, and browser must support the FIDO2 WebAuthn standard.
• Built-in authenticators aren’t supported in non-Chromium versions of the Edge browser.
• To use biometric authentication, a device must include a fingerprint, iris, or facial recognition scanner supported by the built-in
authenticator service.
• Before registering this type of verifier for MFA, the user's built-in authenticator service must be enabled and set up to verify their
identity via a biometric, PIN, or password.
• Built-in authenticators can't be used when logging in to the Salesforce mobile app.
• Built-in authenticators aren't available for Experience Cloud sites.
• Users accessing Salesforce through an API can't verify their identity with a built-in authenticator.
Note: This type of verification method is tied to a user’s specific device. If a user logs in from multiple computers (for example, a
desktop workstation and a laptop), they must register a built-in authenticator on each system. If built-in authenticators aren’t
supported on all of a user’s systems, it’s recommended that they also register an alternate verification method.
To learn more, see FIDO2: Web Authentication (WebAuthn) or the documentation for your users' built-in authenticators.
12
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
How Built-In Authenticators Work When Logging In

This type of method provides the easiest MFA login experience. After a user enters their Salesforce username and password, the built-in
authenticator prompts them for a biometric, PIN, or password identifier. Then they’re logged in.
Behind the Scenes

Registering a built-in authenticator creates a pair of private and public keys that are unique to the user’s account. The private key is stored
safely on the user’s desktop or mobile device and is secured by the user’s biometric data. The private key and the user’s biometric data
never leave the user’s device and are never shared with Salesforce. When a user logs in to their account, the browser calls the device’s
operating system to launch the user’s registered built-in authenticator. Depending on the user’s browser and operating system, the user
verifies their identity with an authenticator like Touch ID, Face ID, or Windows Hello.
WebAuthn-compliant built-in authenticators are resistant to phishing and man-in-the-middle attacks. A main reason is because a user’s
private key is bound to a domain associated with the user’s account. For example, let’s say a user is tricked into using a malicious site.
When the site prompts the built-in authenticator to approve the login request, the authenticator recognizes that the site’s domain isn’t
as expected and prevents the user from logging in.
SEE ALSO:
Register a Third-Party Authenticator App as an Identity Verification Method
Evaluate Options and Requirements for Multi-Factor Authentication

The steps for enabling multi-factor authentication (MFA) are simple and straightforward. Before diving in, though, take some time to
understand your existing authentication systems and to identify your requirements for an MFA solution. By starting with an evaluation
period, you can collect the data needed to align with your leadership and develop a project plan.
Review the Authentication Solutions Currently in Place for Salesforce

Before you start planning a multi-factor authentication (MFA) implementation, understand the authentication methods that you’re
currently using for your Salesforce products. Consider aligning or integrating MFA with other authentication solutions that you’re
already using, such as single sign-on (SSO).
Preview Multi-Factor Authentication
As part of your evaluation process, it’s useful to see how multi-factor authentication (MFA) works and what the user experience is.
Get a preview by turning on MFA for a few of your Salesforce champions and then collect their feedback. This input helps you
anticipate how the rest of your users feel about using MFA, and whether to head off resistance with marketing and education. Your
champions can also provide feedback on the types of training and onboarding support to help users be successful when you roll
out MFA more broadly. And another benefit is you learn exactly what it takes to implement MFA, which helps inform your rollout
and implementation plans.
Determine Business and User Requirements for MFA
To define the multi-factor authentication (MFA) implementation that works best for your company, determine your business
requirements. And understand what your users need for a positive, productive experience. These criteria make it clear which MFA
verification methods you must support in your implementation.
Conduct a User Inventory for Your MFA Implementation
Get a sense of the level of effort for your multi-factor authentication (MFA) project by doing an inventory of all Salesforce users.
Identify the types of users and roles that exist, such as business users, admins, contractors, partners, and non-human accounts. And
catalog the permissions that are assigned to each user.
13
Authentication
Assess Org and User Readiness for MFA

Identify if there are any dependencies, prerequisites, or blockers that you must address before enabling multi-factor authentication
(MFA). Address these issues ahead of time, or plan to resolve them during the implementation stage of your MFA project.
Make the Case for MFA
When you’re finished evaluating options and requirements for your multi-factor authentication (MFA) implementation, share the
findings with your leadership and affected stakeholders. Make the case for MFA by addressing the risks of the current threat landscape.
And explain the benefits and ROI that your company and your customers get by adding another layer of protection for Salesforce
logins. You need this group’s support to green light an MFA project and allocate resources for the work.
Review the Authentication Solutions Currently in Place for Salesforce

Before you start planning a multi-factor authentication (MFA) implementation, understand the authentication methods that you’re
currently using for your Salesforce products. Consider aligning or integrating MFA with other authentication solutions that you’re already
using, such as single sign-on (SSO).
Use this chart to start assessing your configuration. If MFA is already enabled for all your users, you’re ready to go!
14
Authentication
Tip: Want to see if your current or planned MFA implementation satisfies the MFA requirement that went into effect February 1,
2022? Check out the MFA Requirement Checker on the MFA for Salesforce customer site.
Keep in mind that MFA is sometimes confused with a feature called Identity Verification (or Device Activation). With this feature, users
are required to provide a verification method if they access Salesforce from an unrecognized browser or device. But MFA offers better
protection because it requires users to provide a strong verification method every time they log in.
15
Authentication
SSO is a great option for improving your users’ login experience and it also reduces some of the risks associated with weak or reused
passwords. But on its own, SSO doesn’t provide the protection that you get with MFA. An SSO implementation that relies on user
credentials alone can leave user accounts vulnerable to common attacks such as phishing or credential stuffing. If you currently use SSO
for Salesforce logins, ensure that MFA is enabled for all your Salesforce users:
• For products built on the Salesforce Platform, use the MFA functionality provided in Salesforce or use your SSO provider’s MFA service.
• For all other Salesforce products, use your SSO provider’s MFA service.
The best all-around option for satisfying the MFA requirement is to combine MFA and SSO, so you can deliver the enhanced security of
MFA along with the convenience and ease-of-use of SSO.
SEE ALSO:
Use Salesforce MFA for SSO

As part of your evaluation process, it’s useful to see how multi-factor authentication (MFA) works and what the user experience is. Get
a preview by turning on MFA for a few of your Salesforce champions and then collect their feedback. This input helps you anticipate
how the rest of your users feel about using MFA, and whether to head off resistance with marketing and education. Your champions
can also provide feedback on the types of training and onboarding support to help users be successful when you roll out MFA more
broadly. And another benefit is you learn exactly what it takes to implement MFA, which helps inform your rollout and implementation
plans.
Pick Your Salesforce Champions

Select one or more of your Salesforce users to participate in an early preview or pilot of MFA. Champions are your super-users—people
who are enthusiastic about Salesforce and regularly offer recommendations for making it better. If no one comes to mind, choose
someone who is vocal about improving your business processes or is the first to adopt new technologies.
Prepare Your Champions

Explain how the login process works when MFA is enabled, and provide guidance on how to register an MFA verification method. We
recommend using the Salesforce Authenticator mobile app because it’s free and easy to set up. But if you’re planning to support security
keys or other methods in your implementation, ask your champions to register them too.
Enable MFA for Your Champions

Follow the steps to enable MFA for specific users, for each of your Salesforce products.
• Products built on the Salesforce Platform (including Sales Cloud and Service Cloud)
• Heroku
• Quip products
• Tableau Cloud
16
Authentication
Get Feedback
Talk to your champions about their experience. Did they understand how to register a verification method for MFA? Are they comfortable
using their registered method when they log in? How do they feel about the change to the login process?
Use Insights in the Planning Stage

Incorporate lessons learned into your rollout and change management plans, including the types of training and onboarding resources
plan to create. See Plan Your Multi-Factor Authentication Rollout for more information.
SEE ALSO:

To define the multi-factor authentication (MFA) implementation that works best for your company, determine your business requirements.
And understand what your users need for a positive, productive experience. These criteria make it clear which MFA verification methods
you must support in your implementation.
Here are some questions and potential requirements to consider.
Existing Authentication Solutions Does your company use an existing MFA solution, like Okta or Duo, for other systems? If your
Salesforce users are already using MFA to log in to other applications, see if you can integrate
your Salesforce products with the same solution. Doing so can reduce your timeline and costs
for implementing MFA. And it can minimize friction and change management needs because
users are already trained for MFA logins.
Are your Salesforce products integrated with an SSO solution? If you use SSO for Salesforce
logins, ensure that MFA is enabled for all your Salesforce users.
• For products built on the Salesforce Platform, use the MFA functionality provided in
Salesforce or use your SSO provider’s MFA service.
• For all other Salesforce products, use your SSO provider’s MFA service.
Security Requirements Work with your security and IT teams to understand how MFA aligns with your company’s
security objectives and requirements. Understand if any enterprise mandates are in place,
and what kinds of application testing or evaluation processes you must follow.
Legal and Regulatory Requirements What are your company’s legal commitments to customers and other stakeholders around
how your users authenticate to your systems?
Also consider local and other regulatory requirements and how they can impact your MFA
implementation. For example, some regulatory requirements include restrictions on
downloading applications to certain devices.
Compliance Requirements What kinds of audit requirements does an MFA implementation affect or trigger? Are you
beginning any new compliance regimes in the next 12 months that your MFA project can
affect?
17
Authentication
Device Requirements Consider if your industry’s or company’s mobile device policies place any constraints on your
MFA implementation. For example, does a mobile app-based solution work or must you
provide your users with physical security keys?
If mobile apps are an option, does your company provide corporate devices? Or must you
integrate MFA data usage and reimbursement guidelines into your Bring Your Own Device
(BYOD) policy?
User Considerations Understand how MFA can impact the various roles and teams at your company. For example:
• Do any of your users travel or work from locations with limited connectivity?
• Do you have any users, such as third-party call center agents or employees with accessibility
requirements, who have special requirements or restrictions regarding verification
methods?
• Which verification methods are the least intrusive to your users’ workflow?
We recommend supporting multiple verification methods in your implementation, so each
person can choose the option that works best for them.
Budget Considerations It’s useful to factor in the cost of doing an MFA implementation, as well as the budget needed
for post-rollout operational and user support functions.
Salesforce products provide MFA at no extra cost, and the Salesforce Authenticator app is
free. But if a mobile app option doesn’t work for some or all users, account for the expense
to purchase and distribute security keys.
Use Requirements to Define Your MFA Implementation

When you’ve identified your requirements and understand your users’ needs, use these criteria to decide which verification methods to
include in your MFA implementation. We know that your users and use cases are diverse, so we support several different types of strong
verification methods.
Tip: You can standardize on one type of method that everyone uses, or you can support multiple options and let users choose.
Consider the tradeoffs when deciding the approach to take. When everyone uses the same method, it simplifies your onboarding
and day-to-day administration responsibilities. But letting users pick what works best for them eliminates the need for a
one-size-fits-all solution. And it’s easier to meet all of your requirements. Plus, users are less likely to get locked out of Salesforce
if they can set up multiple verification methods for themselves.
SEE ALSO:
Use Salesforce MFA for SSO

Get a sense of the level of effort for your multi-factor authentication (MFA) project by doing an inventory of all Salesforce users. Identify
the types of users and roles that exist, such as business users, admins, contractors, partners, and non-human accounts. And catalog the
permissions that are assigned to each user.
This exercise delivers several benefits. You can:
18
Authentication
• Identify all of your privileged users, including Salesforce admins and users who have a high level of access to the application or
sensitive data. These users are your top priority when rolling out MFA because their accounts pose the highest risk should they be
compromised.
• Decide on logical groups of users if you’re planning to role out MFA in phases.
• Evaluate how well you’re applying the principle of “least privilege” to your user accounts. As a security best practice, limit users to
the minimum set of permissions needed to do their jobs. This way, if an attacker gains access to an account, there’s less risk to your
environment. A user inventory shows where you can dial back permissions to reduce the number of privileged users. We recommend
doing this exercise on a quarterly basis. If it’s been awhile, your MFA project is a great reason to schedule a review now.
Tip: Get a user inventory template from the downloadable MFA Rollout Pack.
SEE ALSO:
Identify Your Privileged Users for Products Built on the Salesforce Platform
Identify Your Privileged Users for Products Built on the Salesforce Platform
As you evaluate your org for multi-factor authentication (MFA), it’s useful to inventory your Salesforce users. This step helps you identify
who your privileged users are. It gives you the data for planning a phased rollout, and provides insight into the level of effort for your
project. Salesforce admins and other privileged users are your top priority when rolling out MFA. There are several tools you can use to
inventory your user base.
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud—Audience Studio, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products
(Consumer Goods Cloud, Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and
Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
Tip: To understand the benefits of this exercise, see Conduct a User Inventory for Your MFA Implementation.
Get a user inventory template from the downloadable MFA Rollout Pack.
A privileged user is:

• a Salesforce admin (defined as a user with both the Customize Application and Modify All Data user permissions)
• a user with any of these user permissions:
– Customize Application
– Manage Users
– Modify All Data
– View All
There are a few tools you can use to identify admins and other privileged users in your org.
• Salesforce Optimizer
• Profile and Permission Set Helper from Salesforce AppExchange
• Query profile and permission set objects
19
Authentication
Find Salesforce Admins with Salesforce Optimizer

The Optimizer app is the easiest way to identify all admins in your org. From Setup in Lightning Experience, type Optimizer in the
Quick Find box, then select Optimizer. In the Salesforce Optimizer App section, click Open Optimizer. Click Run Optimizer. It can take
a while for Optimizer to generate results. In the Feature column, click Admin Permissions. Review the list of users who currently have
admin permissions.
Find All Privileged Users with Profile and Permission Set Helper
Use the Profile and Permission Set Helper tool from AppExchange to identify all of the privileged users in your org. The tool searches
your org’s profiles and permission sets for a specific user permission, then displays all users who have the permission.
Download and install the Profile and Permission Set Helper package from AppExchange. Select Permission Set Helper from App
Launcher. Click the Permissions Analyzer tab. Make these settings in the sidebar:
Analyze by field Select Permission
Permission type field Select User
Permission field Select one of the privileged permissions:

• Customize Application
• Manage Users
• Modify All Data
• View All
The app displays all users who have been assigned the selected permission, either through a permission set or their profile.
Repeat these steps to search for each of the privileged user permissions.
Query Your Org’s Data

You can inventory user permissions that are assigned in permission sets and profiles directly through the API and SOQL. This approach
offers the most flexibility for data exporting and analysis.
To run a query for all users who are assigned any of the four privileged permissions via profiles:
SELECT Id,Username, Profile.Name, Profile.PermissionsCustomizeApplication,
Profile.PermissionsModifyAllData, Profile.PermissionsManageUsers,
Profile.PermissionsViewAllData
FROM User
WHERE IsActive = true and (Profile.PermissionsModifyAllData=true
OR Profile.PermissionsCustomizeApplication=true
OR Profile.PermissionsManageUsers=true)
To run a query for all users who are assigned any of the four privileged permissions via permission sets:
SELECT Assignee.Id, Assignee.Username, Assignee.Profile.Name, PermissionSet.Label,
PermissionSet.PermissionsCustomizeApplication,
PermissionSet.PermissionsModifyAllData, PermissionSet.PermissionsManageUsers,
PermissionSet.PermissionsViewAllData
FROM PermissionSetAssignment
WHERE Assignee.IsActive = true AND PermissionSet.IsOwnedByProfile=false AND
(PermissionSet.PermissionsModifyAllData=true
20
Authentication
OR PermissionSet.PermissionsCustomizeApplication=true
OR PermissionSet.PermissionsManageUsers=true)

Identify if there are any dependencies, prerequisites, or blockers that you must address before enabling multi-factor authentication
(MFA). Address these issues ahead of time, or plan to resolve them during the implementation stage of your MFA project.
Important: Make sure to resolve any shared accounts or credentials that are in use before enabling MFA. While Salesforce policy
prohibits sharing user credentials, it does happen. But this practice is incompatible with MFA because each user must connect a
unique verification method to their Salesforce account before they can log in. If multiple users are sharing a single account, only
one person will be able to log in to that account after MFA is enabled.
If you need help with setting up unique accounts for each person who accesses Salesforce, contact your Account Executive or
Sales team. Or refer to Salesforce Checkout and Self Service to Manage your Account.
Make the Case for MFA

When you’re finished evaluating options and requirements for your multi-factor authentication (MFA) implementation, share the findings
with your leadership and affected stakeholders. Make the case for MFA by addressing the risks of the current threat landscape. And
explain the benefits and ROI that your company and your customers get by adding another layer of protection for Salesforce logins. You
need this group’s support to green light an MFA project and allocate resources for the work.
To make the case and get approval for rolling out MFA to your users:
• Describe the risks and potential impacts to your business by not using MFA. Show data about the risks and consequences of common
security threats, especially for your market or industry.
• Explain the benefits and ROI that your company can realize from the added security of MFA.
• Discuss your recommendations for an MFA implementation.
• Frame the issues in terms that resonate with your audience and speak to their priorities.
Tip: Salesforce commissioned Forrester Consulting to conduct the Total Economic Impact™ of Multi-Factor Authentication from
Salesforce study to help customers understand the benefits of adopting MFA. Use this study to educate your leadership and
stakeholders on how MFA can add value to your business’ bottom line. Want a teaser? An organization can achieve up to 164%
return on their MFA investment over 3 years, with a payback in less than 6 months!
When covering the benefits of MFA, consider these points:
21
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
Data Protection MFA helps protect your highly valuable Salesforce data by making it more difficult for
attackers to compromise user credentials.
Customer Security As a steward for your customers’ data, employing strong security controls like MFA helps
reduce the risk of downstream impact to their businesses. You can provide assurances
to customers about your security posture.
Security Best Practice With MFA, you’re aligning to a common industry trend that is globally recognized as a
best practice for minimizing security risk.
Corporate Responsibility As your business evolves, you have a responsibility to your customers, shareholders, and
employees to protect your products, information, and business.
Business Value Translate IT benefits like “improved security” into business value by showing how MFA
can improve customer confidence, protect your company’s reputation, avoid site or
application downtime, and ward off costs and liability associated with a data breach.
It’s also valuable if you can demonstrate how MFA can help achieve other business priorities or goals. For example:
Legal Requirements Do you have authentication, user security, or data loss requirements that govern your
business, your commitments to customers who inherit your security, or your
commitments to shareholders? MFA can be an effective way to meet them.
Compliance Requirements Your organization probably operates under some kind of audit structures, many of which
include authentication requirements. You probably also have security policies that you
must follow, which could be met through MFA.
Future and Evolving Requirements Consider your business objectives in the next 12 months. Are you planning on expanding
business to new customer segments or markets that require increased security? Is there
a change planned that would benefit from MFA?
Also consider your security goals. Does an MFA implementation help you meet any
current or emerging enterprise security mandates? MFA is likely a strong mitigation
option for emerging risks, or a solution for planned security goals.
Tip: For help with making the case, check out the customizable MFA presentation deck that’s included in the downloadable MFA
Rollout Pack.
SEE ALSO:

After completing an evaluation period to understand your options and requirements for multi-factor authentication (MFA), you’re ready
to develop your project plan.
To ensure a successful rollout, we recommend addressing these subjects.
22
• The roles and responsibilities of your project team.

• A strategy for how and when to roll out MFA to users.
• Change management tactics to employ throughout the project.
• How to support users after MFA is enabled.
• The requirements, acceptance criteria, and schedule for setting up and testing your implementation.
Tip: For help with planning your MFA rollout, check out the customizable templates and guidance in the downloadable MFA
Rollout Pack.
Form Your MFA Project Team

It takes a team to roll out any Salesforce project. For your multi-factor authentication (MFA) initiative, get that team going now. Involve
people throughout your organization, including your Security and IT teams, business stakeholders—maybe even your corporate
communications department.
Form a project team led by an executive sponsor who champions your Salesforce implementation and understands the importance of
securing account access. Be sure to include leaders from all affected departments at your company. This step is critical because you need
executive support to help define the project goal and, ultimately, approve and support the project.
Figure out the role that your Security and IT teams have in the project. For example, do you require approval and sign off on your
implementation work? Or maybe someone from these teams can be actively involved in the planning and implementation stages.
Tip: Involve the right stakeholders early and often to make sure that you’re covering all the bases.
To help with defining and implementing your strategy and project plan, consider these team members:
• Key business users to act as champions and provide the “voice of your customer”
• Salesforce administrators
• Security and IT partners
• Change management leads
• Reporting leads
• Product, engineering, and technical writing leads
Define an MFA Rollout Strategy

Decide how to structure and execute your multi-factor authentication (MFA) rollout. Develop a strategy that works for your company's
size, business goals, and the Salesforce products that you use.
Note: The guidance in this topic doesn’t apply to single sign-on (SSO) logins, API logins, or to setting up an MFA requirement for
customers who access your Salesforce Experience Cloud sites or ecommerce sites.
Strategies for Rolling Out MFA to Users

There are two ways you can approach the rollout. Turn on MFA for all your users at the same time. Or turn it on for groups of users over
several days, weeks, or months.
• If you have only a few Salesforce users, it’s probably most efficient to roll out MFA to everyone on the same day.
• We recommend taking a phased approach when your user base is large enough that enabling everyone at the same time isn’t
practical. Or if preparing all users for a single launch date delays when you can start enabling MFA.
If you haven’t already previewed MFA with some of your Salesforce champions, consider starting your rollout with a small pilot. This
way, you can test the rollout process and user experience. Collect feedback on what worked, what needs tweaking, and where you have
23
gaps in resources or support so your official launch goes smoothly. You can focus your pilot on admin users, or go for a cross-section of
users across teams to verify that things work well for all audiences.
Know Who Your Users Are

Before starting your rollout strategy — especially if you’re going with a phased approach — do an inventory of your existing users,
including their current permissions and roles. Use this exercise to identify your admins and other privileged users, and to get other
insights to help you define logical rollout groups. For tips, see Conduct a User Inventory for Your MFA Implementation.
Decide Who Gets MFA First

For a phased rollout, calculate how many groups you want. Then figure out who to include in each group. Keep in mind that, as of
February 1, 2022, all users who log in to the user interface, including admins, business users, contractors, partners, and external vendors,
must use MFA.
• Your highest priority is adding an MFA requirement for all of your privileged users. There’s higher risk when an attacker gets access
to these types of accounts. Start by rolling out MFA to all Salesforce admins, and to any user who can access sensitive data or change
how your product operates. These types of users are Salesforce experts, so you can onboard them more quickly than others.
• Next, enable MFA for users who have critical roles or functions. Anyone who can impact your business by losing Salesforce access
is a great candidate for an early group.
• Consider how and when to enable contractors, partners, and other external users who must access your Salesforce products.
• Finish up by rolling out MFA to your remaining users. Look for logical groupings, such as all users on a specific team, or everyone in
a business unit or geographic location.
And here are some additional considerations:
• If you have a single sign-on (SSO) implementation, add an MFA requirement to the direct login backup accounts that admins use if
SSO is unavailable.
• If you work with third-party call centers, creative agencies, or consulting firms that need access to your Salesforce environment, plan
for applying an MFA requirement to external users.
SEE ALSO:
Determine Your MFA Change Management Strategy

Busy users aren’t always receptive to change. A change management strategy is instrumental in helping users understand the value of
multi-factor authentication (MFA), and preparing them for MFA logins. You need a plan to promote awareness and onboard users ahead
of time. Laying this groundwork during the planning stage gives you a roadmap that you can follow when it’s time to kick off change
management activities.
Tip: For help with developing a change management plan, check out the downloadable MFA Rollout Pack. It provides a detailed
change management guide, plus a variety of change management templates to help with communication, marketing, training,
and onboarding.
24
Change Impact Assessment

Start by conducting a change impact assessment. You can use this step to understand what your users think about MFA. You can also
get insights into how people feel about an extra authentication step each time they log in to Salesforce.
Use the results from this assessment to calculate the chance of user resistance when you roll out MFA. Users can see the extra authentication
step as an inconvenience rather than appreciating the benefits of enhanced account security. Knowing your users’ state of mind on the
subject tells you how much marketing and education are necessary to get everyone invested in MFA.
Change Management Strategy

Turn your findings into a change management strategy that focuses on getting buy-in from your Salesforce users, and makes the
integration of MFA into daily life quick and painless. A solid strategy includes these elements.
Communications and Campaigns Promote awareness and help users feel safe and protected rather than inconvenienced.
Training and Onboarding Make it clear to users what they must do, when they must do it, and how they can get help if they
Resources get stuck.
Launch Day Support Prepare your support team to assist users with launch day issues and troubleshooting.
Success Metrics Define how to measure the success of your MFA project. Work with your leadership and
stakeholders to determine the metrics for gauging how well user adoption is going.
SEE ALSO:
Prepare Your Users for Multi-Factor Authentication
Establish an MFA Support Plan

Your multi-factor authentication (MFA) project doesn’t end on your launch day. You need a support plan that addresses post-launch
tasks, including managing MFA operations and helping users solve authentication or verification method problems. It’s also important
to establish who owns these responsibilities.
Here are some recommendations and considerations for your MFA support plan.
Support Team Figure out who owns day-to-day operations, such as your help desk or a third-party service
provider. Identify the right contacts on the support team and invite them to provide input into
your project plan.
Policies and Processes Define and document how your support team handles common issues, such as:
• Solving login problems, including failed authentication attempts and account lockouts.
• Helping users recover access if they forget or lose their verification method, get a new method,
or a registered method stops working.
• Enabling MFA for new users.
Update your user onboarding procedures so new hires have MFA enabled on their first day.
Ensure that MFA registration assistance is included in your new employee onboarding
processes.
25
Training Decide how to impart MFA knowledge to your Support team. Consider holding a training session.
Prioritize creating the documentation that’s necessary for Support agents to troubleshoot and
resolve user problems.
Operational Budget Establish a budget for managing your MFA implementation. Plan for the possibility of a higher
volume of Support cases in the first few weeks after launching MFA.
If you’re using security keys, account for the cost of maintaining a supply of these devices, and
distributing replacement keys to users.
Access Recovery Process

It’s likely that some users, at some point, will need to recover their verification method. A clearly documented recovery process — for
admins and end users — is an important part of your MFA support plan. Establish a process that reduces the risks associated with a lost
method, and quickly restores a user’s Salesforce access.
Tip: Make your recovery process easy and blame-free so users feel safe to immediately report a lost device or verification method.
Consider building these steps into your recovery process:

• End the user’s current session.
• Disconnect the lost verification method.
• Re-establish login access.
• Audit the user’s account activity to watch for any unusual activity.
• If the user’s verification method was lost or stolen, guide them through the process to get a replacement.
Have an Access Recovery Plan for Salesforce Admins Too!

Make sure your access recovery plan accounts for the possibility of Salesforce admins getting locked out or losing access to their verification
method. If you're the only admin for your Salesforce environment, you need a special recovery plan just for you! Consider these best
practices:
• Each admin registers at least two verification methods.
• Keep a backup security key in a secure place at work.
• In addition to yourself, ensure there's at least one other trusted user who has permission to manage users and MFA settings (including
the Manage Multi-Factor Authentication in User Interface user permission). This way, if you get locked out, the other user can restore
your access.
SEE ALSO:
Get Ready to Support Your MFA Implementation
Support Your MFA Implementation
Recover Access for MFA-Enabled Users for Products Built on the Salesforce Platform
Delegate Multi-Factor Authentication Management Tasks
26
How to Roll Out Multi-Factor Authentication Roll Out Phase: Prepare to Launch Multi-Factor Authentication
Define Your MFA Implementation and Test Plan

Here are some recommendations and guidelines to help with defining the implementation and test steps in your multi-factor authentication
(MFA) plan.
Project schedule Pick your launch date (or dates, if you’re rolling out in phases). Then establish a schedule for your MFA
project. Include milestones for distributing verification methods and onboarding documentation to
users.
Check your Salesforce roadmap to avoid launching at the same time as any projects that could compete
with your rollout. Work with your leadership to clear roadblocks, such as non-Salesforce projects that
could steal focus or resources.
Supported verification Choose the verification methods that you plan to support in your implementation. Document the
methods process and timeline for distributing these methods to your users.
If you’re supporting physical security keys, allow adequate time before your launch date for users to
receive their keys.
Enablement steps and Define how to resolve any dependencies, prerequisites, or blockers that you identified during the
requirements evaluation stage of your project.
Document the steps to turn on MFA for users. See Enable MFA for Users on page 35 for details.
Waive MFA for exempt user Some user types are exempt from needing to use MFA. Most of these cases are automatically excluded
types (for products built on the when auto-enablement and enforcement occur. But there are a few exempt user types that must be
Salesforce Platform) manually excluded by a Salesforce admin. This should be done before MFA is enabled for your org. See
Exclude Exempt Users from MFA for details.
Test plan and acceptance Establish acceptance criteria and document how to test your MFA implementation.
criteria We recommend executing the enablement steps in your plan. Then complete the registration flow
for each verification method to make sure you can successfully connect to a Salesforce account and
log in.
Use a test environment or account to avoid the possibility of locking anyone out of your production
environment. If a test environment isn’t available, we recommend enabling MFA for a test user or a
non-critical role in your production environment. Then run through the testing steps. Get a test plan
template from the downloadable MFA Rollout Pack.
It’s also a good idea to verify that your recovery process works as expected. Run through the process
that you defined in the MFA support plan.
SEE ALSO:
Roll Out Phase: Prepare to Launch Multi-Factor Authentication

With your project plan in place and your stakeholders aligned, the next step is doing the work to deliver multi-factor authentication
(MFA) to your Salesforce users. Now is the time to prepare users to log in using MFA, and to work through your implementation and
test plans. Then you’ll be ready to launch MFA. If you’re rolling out gradually to groups of users, repeat some of the activities in this phase
until everyone is using MFA.
27
How to Roll Out Multi-Factor Authentication Prepare Your Users for Multi-Factor Authentication

Without the right context, busy users may feel that multi-factor authentication(MFA) slows them down instead of adding value. Put
your change management strategy to work to help users understand the importance of MFA and to deliver a smooth onboarding
experience. Your goal is to engage and educate everyone with communication, training, and even some marketing.
Implement Multi-Factor Authentication
Along with performing change management activities, it’s time to start your multi-factor authentication (MFA) implementation.
Enabling MFA automatically adds an authentication challenge to the login process, so you want to defer that step to your scheduled
launch day. Let’s look at the other implementation-related activities that we recommend at this stage.
Launch Multi-Factor Authentication
When the big day arrives, enable multi-factor authentication (MFA) for your users. Then fire up your launch day activities to make
sure everyone has the support they need. If you’re going all in with MFA, turn it on for all your users. If you’re taking a phased approach,
enable the users or roles for your first group now, then repeat these steps for subsequent groups later on.

Without the right context, busy users may feel that multi-factor authentication(MFA) slows them down instead of adding value. Put your
change management strategy to work to help users understand the importance of MFA and to deliver a smooth onboarding experience.
Your goal is to engage and educate everyone with communication, training, and even some marketing.
Kick off the change management activities that you identified for your project, and keep them going until all of your users have successfully
adopted MFA. We recommend a multipronged strategy with these types of activities:
• Communications and promotional campaigns
• Training
• Launch day onboarding and support
Tip: For help with these activities, check out the downloadable MFA Rollout Pack. It includes customizable templates to help you
run an email campaign, train users on MFA, and support them on your launch day with onboarding templates.
Engage Users with Communication and Promotional Campaigns

Communicate early and often with your Salesforce users, and use multiple channels so that you’re sure to reach everyone. Explain what
multi-factor authentication (MFA) is, when you’re launching it, what users must do to be ready, and where they can find instructions
and support. Explain why your users should care by reinforcing the idea that MFA is an important safeguard for their accounts, their data,
and their customers’ well being. By establishing these details early in your project, you can head off user resistance and avoid adoption
blockers.
Here are a few ideas for engaging your users.
Communication Forum Create a central place, such as a Slack channel or Chatter group, for announcements, questions
and answers, and peer collaboration. This is also a great place to share regular updates on your
launch schedule.
Marketing Campaigns Build awareness by running a week-long email campaign that sells users on the value of MFA
and provides tips and tricks so they’re ready for your launch day. This is also a great channel for
explaining how to register verification methods and log in with MFA.
Visual Reminders Reinforce awareness by putting posters in hallways and break rooms. Develop a theme or catch
phrase that engages and empowers users — something like “Security Starts With You!” or “Turn
28
How to Roll Out Multi-Factor Authentication Prepare Your Users for Multi-Factor Authentication
the Lock All the Way With MFA.” Do you have a creative side? Consider ways to make the posters
pop with color or eye-catching imagery.
Tip: Include external users who access your Salesforce environment, such as partners, contractors, and call center services, in all
communications and campaigns.
Train Users on MFA Fundamentals

When a user logs in after MFA has been enabled, a series of prompts guide them through the steps to register and use a verification
method. But don’t rely on this experience alone. Providing some formal training on MFA fundamentals is important for a successful
rollout.
There are several training approaches you can take.
On-Demand Training Create resources, such as a video, that users can access on their own time. Or, ask users to
complete the User Authentication module in Trailhead.
In-Person Training Set up real-time training opportunities, like webinars or lunch-and-learn sessions.
Cover these details in your training materials:

• What MFA is and why it’s important for your company and your customers.
• The verification methods that you’re supporting in your implementation, and the steps users must take to register them.
• How to log in using each of verification method that you’re supporting.
• How long a user’s session stays active after they log in, and how to re-authenticate if their session expires.
• Where to get help if users have problems registering a method, logging in, or if they forget or lose their verification method.
Develop Onboarding Materials and Plan Your Launch Day

Training is important, but don’t expect users to remember everything they learned ahead of time. Come launch day, users benefit from
simple resources that explain and expand on the in-app registration prompts. Onboarding materials go a long way in getting people
up and running (and reduce calls to your support team).
Consider creating a quick start web page or a laminated cheat sheet that you can distribute to users shortly before enabling MFA. Focus
on the step-by-step instructions for acquiring and registering a verification method, then using it to log in. Make sure that it’s clear how
users can get help if they get stuck or confused.
Develop processes and documentation to quickly resolve any problems that users encounter on your launch day.
• Deflect calls to your support team by creating self-help materials, including troubleshooting information for the most likely problems
that users might encounter on your launch day.
• Plan to hold office hours or to set up a dedicated, onsite help desk for the day. Make sure the people who staff these resources are
trained and can access your MFA troubleshooting documentation. If you do a dry run simulating your launch day, the actual event
should go more smoothly.
• Consider establishing an SOS process for execs and business users who need priority help if they run into problems.
Finally, think about having a little fun on your launch day. With some creativity and a little budget, you can make your go-live an engaging
event. Here are some ideas:
• Have a raffle with prizes, such as gift cards, a free day off, or lunch with an executive.
29
How to Roll Out Multi-Factor Authentication Implement Multi-Factor Authentication
• Host a launch party with cupcakes.

• Hand out swag or branded items.
• Hold a contest where the first number of users to successfully log in with MFA receive a prize. Congratulate the winners in a public
company forum. People are motivated by recognition and prizes, no matter how small or inexpensive!
SEE ALSO:
Implement Multi-Factor Authentication

Along with performing change management activities, it’s time to start your multi-factor authentication (MFA) implementation. Enabling
MFA automatically adds an authentication challenge to the login process, so you want to defer that step to your scheduled launch day.
Let’s look at the other implementation-related activities that we recommend at this stage.
Address MFA Dependencies and Blockers

Now is the time to take care of issues that must be addressed before you can proceed with enabling MFA.
Put your multi-factor authentication (MFA) support plan to work to make sure your support team is trained, and has the resources,
to resolve MFA-related issues. Assign MFA management permissions so the team can help users recover access if they’ve lost or
forgotten their verification methods.
Prepare to Deploy Security Keys or Built-in Authenticators for MFA (optional)
For products built on the Salesforce Platform, admins must enable security keys and built-in authenticators before users can register
these options as verification methods for multi-factor authentication (MFA). If you’re using security keys in your MFA implementation,
allow adequate time before launch day to procure and distribute them to users. It’s also a good idea to stock some extra keys so you
have a reserve inventory.
Test Your MFA Implementation
Execute your test plan to make sure your multi-factor authentication (MFA) implementation works as expected. Go through the
registration and login flow for each of the verification methods you’re supporting. And test your recovery process for cases where a
user doesn’t have their method.
Help Users Acquire and Register Verification Methods for MFA
When you enable multi-factor authentication (MFA), users must have at least one registered verification method before they can
log in. The registration process connects a method to the user’s Salesforce account. As you approach your launch date, it’s time to
distribute verification methods to users, along with instructions for the registration process.
SEE ALSO:
Exclude Exempt Users from MFA
Address MFA Dependencies and Blockers

Now is the time to take care of issues that must be addressed before you can proceed with enabling MFA.
For example:
• Eliminate shared accounts or credentials by making sure that each person who logs in to Salesforce has their own user license and
account. For help, contact your Account Executive or Sales team. Or refer to Salesforce Checkout and Self Service to Manage your
Account.
30
• If you use B2C Commerce Cloud and you haven’t done so already, migrate Business Manager users to Account Manager. For
step-by-step help, see the Unified Authentication for Business Manager FAQ and B2C Commerce Unified Authentication for Business
Manager webinar recording.
Tip: If you conducted a user inventory and identified any users who have more permissions than they need, consider doing some
user management housecleaning. Removing unnecessary perms helps reduce security risks.
SEE ALSO:

Put your multi-factor authentication (MFA) support plan to work to make sure your support team is trained, and has the resources, to
resolve MFA-related issues. Assign MFA management permissions so the team can help users recover access if they’ve lost or forgotten
their verification methods.
Here are some best practices.
Document MFA Policies and Create knowledge articles or other documentation that Support agents can use to resolve cases.
Processes We recommend addressing these subjects:
• Instructions for registering and signing in with verification methods
• Troubleshooting materials for connection issues, failed authentication attempts, and account
lockouts
• Recovery process for lost or stolen verification methods and helping users disconnect old
methods that have been replaced with new ones
• Resolving issues if the connection between a registered method and a user’s Salesforce
account stops working
Educate Support Agents Schedule webinar or in-person training sessions. Allow time for demos and Q&A.
Speed Up MFA Case Resolution If you’re using Salesforce to handle support inquiries, streamline responses to common issues
and questions by setting up quick text and macros, and organizing them in an MFA folder.
Assign MFA Management Permissions to Your Support Team

For products built on the Salesforce Platform: You can delegate admin tasks related to lost or forgotten verification methods to your
support team. Assign the Manage Multi-Factor Authentication in User Interface permission to the appropriate users. This user permission
allows agents to handle activities like generating temporary verification codes, disconnecting verification methods, and replacing lost
security keys. See Delegate Multi-Factor Authentication Management Tasks for more details.
SEE ALSO:
31
Prepare to Deploy Security Keys or Built-in Authenticators for MFA (optional)

For products built on the Salesforce Platform, admins must enable security keys and built-in authenticators before users can register
these options as verification methods for multi-factor authentication (MFA). If you’re using security keys in your MFA implementation,
allow adequate time before launch day to procure and distribute them to users. It’s also a good idea to stock some extra keys so you
have a reserve inventory.
To set up these options for your MFA implementation:
• Enable U2F or WebAuthn Security Keys for Identity Verification
• Enable Built-In Authenticators for Identity Verification
SEE ALSO:
Test Your MFA Implementation

Execute your test plan to make sure your multi-factor authentication (MFA) implementation works as expected. Go through the registration
and login flow for each of the verification methods you’re supporting. And test your recovery process for cases where a user doesn’t
have their method.
Recommendations for testing your implementation vary by Salesforce product.
Tip: Get a customizable test plan template from the downloadable MFA Rollout Pack.
Test MFA for Products Built on the Salesforce Platform

Enable and verify multi-factor authentication (MFA) in a test environment before rolling things out in your Salesforce production org.
Confirm that registering and logging in with each of your supported verification methods works as expected.
Marketing Cloud, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products (Consumer Goods Cloud,
Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and Salesforce Essentials
You can use a sandbox environment, or sign up for a Developer Edition org.
To test verification methods, we recommend using a test user that doesn’t have admin permissions. Log in as the test user, then complete
the registration flow for each method and confirm that you can successfully connect to Salesforce and log in.
32
Note: Avoid using your admin account for MFA testing so that you don’t inadvertently lock yourself out.
SEE ALSO:
Multi-Factor Authentication Considerations for Sandbox Environments
Test MFA for B2C Commerce Cloud

Account Manager doesn’t have an isolated environment for testing Account Manager settings. We recommend working with trusted
users or using a test user account to verify your multi-factor authentication (MFA) implementation.
To test MFA, enable it for a test role or a non-critical role that has only a few assigned users. This way you can verify your implementation
without affecting the majority of your users.
Log into a test user account, or work with the users assigned to the role that you enabled. Confirm that users can register and log in with
each of your supported verification methods.
If you discover any problems that you can’t quickly resolve or work around, you can disable MFA for the role at any time.
SEE ALSO:
Test MFA for Marketing Cloud Engagement

Marketing Cloud Engagement (powered by Email, Messaging, and Journeys) doesn’t have test environments so we recommend using
a test user account to verify your multi-factor authentication (MFA) implementation.
To test MFA, start by enabling it for your tenant. We recommend using the default enablement option, which allows users to choose
when they’ll opt into using MFA. This way, no one is immediately affected when MFA is turned on.
Then, log into a test user account—or work with a trusted user—to confirm that you can register and log in with each of your supported
verification methods.
If you discover any issues that you can’t quickly resolve or work around, you can disable MFA.
SEE ALSO:
Help Users Acquire and Register Verification Methods for MFA

When you enable multi-factor authentication (MFA), users must have at least one registered verification method before they can log in.
The registration process connects a method to the user’s Salesforce account. As you approach your launch date, it’s time to distribute
verification methods to users, along with instructions for the registration process.
We recommend distributing methods one to two weeks before you turn on MFA. Users can self-register verification methods at any
time. Encourage everyone to register at least one method prior to your launch date so they can avoid delays logging in when MFA is
33
How to Roll Out Multi-Factor Authentication Launch Multi-Factor Authentication
live. It’s a good idea for users to set up multiple verification methods so they don’t get locked out of their account if they forget or lose
one of their options.
Tip: Want to help your users with the registration process by providing onboarding help ahead of time? Check out the downloadable
MFA Rollout Pack. It provides customizable onboarding templates for each of the verification methods that are supported by
Salesforce products.
The registration steps vary slightly for each verification method. And the way a user starts the self-registration process depends on the
Salesforce product. Use these resources for step-by-step details.
• Heroku
• Tableau Cloud
Note: If a user doesn’t have a method ready by the time MFA is turned on, they automatically go through the registration process
the next time they log in. On-screen prompts guide users through the steps.
Consider these guidelines as you prepare to distribute verification methods.
• Hold a few registration sessions or office hours before your launch day so users can get help if they need it.
• For authenticator apps:
– To ensure the security of mobile authenticator apps such as Salesforce Authenticator or Google Authenticator, require users to
set a PIN or biometric factor on their mobile device. (Note that mobile devices must be secured before users can register mobile
authenticator apps for B2C Commerce.)
• For security keys:

– Allow enough time to deliver them to users before your launch date. Decide if you’re going to hand-deliver keys or if users must
pick them up at a designated location. If you have remote users or offices in various regions, add a buffer for shipping delays.
– Have an extra supply of security keys on hand for your launch day in case some users received a malfunctioning key or didn’t
get their key in time.
• For built-in authenticators:

– Before registering this type of verifier, a user's built-in authenticator service (such as Touch ID, Face ID, or Windows Hello) must
be enabled and set up to verify their identity.
SEE ALSO:
Launch Multi-Factor Authentication

When the big day arrives, enable multi-factor authentication (MFA) for your users. Then fire up your launch day activities to make sure
everyone has the support they need. If you’re going all in with MFA, turn it on for all your users. If you’re taking a phased approach,
enable the users or roles for your first group now, then repeat these steps for subsequent groups later on.
34
Enable MFA for Users

When you’re ready to go live, enable multi-factor authentication (MFA). Remember that turning on MFA automatically adds
authentication challenges to the Salesforce login process, so make sure your users are prepared before you take this step.
Support Users on Your MFA Launch Day
Make your multi-factor authentication (MFA) rollout a success with some recommended best practices. For example, initiate user
support activities like office hours or a dedicated help center to help users troubleshoot and resolve problems quickly.
Enable MFA for Users

When you’re ready to go live, enable multi-factor authentication (MFA). Remember that turning on MFA automatically adds authentication
challenges to the Salesforce login process, so make sure your users are prepared before you take this step.
The steps for enabling MFA are determined by your Salesforce product.
• Heroku
• Quip products
• Tableau Cloud
Enable MFA for Products Built on the Salesforce Platform

Enable multi-factor authentication (MFA) for some or all of your users. MFA requires users to provide an additional factor of authentication
when they log in to the Salesforce user interface.
Important: To help prevent unauthorized access to Salesforce accounts, MFA is a default part of the direct login experience for
all production orgs created on or after April 8, 2024. See this release note for more information. For full details on the contractual
requirement to use MFA when accessing Salesforce, see the Salesforce Multi-Factor Authentication FAQ.
There are two methods for enabling MFA.
Enable MFA for Everyone

To turn on MFA for everyone at the same time, use the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce
org setting. See Enable MFA for Your Entire Org for details.
Tip: Want to see the process in action? Check out the Launch Multi-Factor Authentication for Salesforce video.
35
There are a few user types that are exempt from the MFA requirement. Most are automatically excluded from MFA when you use the
MFA org setting. However, there are a few MFA-exempt user types that must be manually excluded, which should be completed before
using this option. To see if any of these user types exist in your org and to learn how to exclude them from MFA, see Exclude Exempt
Users from MFA.
Enable MFA in Phases

To roll out MFA to groups of users over time, use the Multi-Factor Authentication for User Interface Logins user permission. See Enable
MFA for Specific Users for details.
Here are some considerations:
• Want to roll out MFA for a pilot, to a select group of users, or to standard profile users? Create a permission set that includes the MFA
user permission. Then apply the permission set to the desired users.
• Ready to roll out MFA to everyone assigned to specific custom profiles? Add the MFA user permission to profiles to mass-enable
MFA for users.
User Experience When MFA is Enabled

When MFA is turned on for a user, they must have a registered verification method to access Salesforce. If a user didn’t self-register a
method before your launch day, on-screen prompts guide them through the process the next time they log in. For all subsequent logins,
users are required to supply the method in addition to their username and password.
SEE ALSO:
Enable MFA for Direct User Logins
Register Verification Methods for Multi-Factor Authentication
Enable MFA for B2C Commerce Cloud

As of May 2022, MFA has been enabled and enforced for B2C Commerce customers and is now a permanent part of the login experience.
If Salesforce hasn't enforced MFA for your organization yet but you're ready to start using it, contact Salesforce Customer Support.
SEE ALSO:
Register Verification Methods for Multi-Factor Authentication for B2C Commerce
Enable MFA for Heroku

As of January 2023, MFA has been enabled and enforced for Heroku customers and is now a permanent part of the login experience. If
MFA isn’t enforced for your environment yet but you're ready to start using it, contact Heroku Customer Support.
SEE ALSO:
Multi-Factor Authentication (MFA) for Heroku
36
Enable MFA for Marketing Cloud Intelligence

As of October 2022, MFA has been enabled and enforced for Marketing Cloud Intelligence (powered by Datorama) customers and is
now a permanent part of the login experience. If Salesforce hasn't enforced MFA for your organization yet but you're ready to start using
it, contact Salesforce Customer Support.
SEE ALSO:
Multi-Factor Authentication in Marketing Cloud Intelligence
Enable MFA for MuleSoft Anypoint Platform

As of August 2023, MFA has been enabled and enforced for Anypoint Platform customers and is now a permanent part of the login
experience. If MFA isn’t enforced for your environment yet but you're ready to start using it, contact MuleSoft Customer Support.
SEE ALSO:
Multi-Factor Authentication for MuleSoft Anypoint Platform
Enable MFA for Quip Products

As of May 2022, MFA has been enabled and enforced for Quip customers and is now a permanent part of the login experience. If Salesforce
hasn't enforced MFA for your organization yet but you're ready to start using it, contact Salesforce Customer Support.
SEE ALSO:
Multi-Factor Authentication (MFA) for Quip
Support Users on Your MFA Launch Day

Make your multi-factor authentication (MFA) rollout a success with some recommended best practices. For example, initiate user support
activities like office hours or a dedicated help center to help users troubleshoot and resolve problems quickly.
Tip: To support your users when MFA goes live, check out the customizable communications and onboarding resources that are
provided in the downloadable MFA Rollout Pack.
Kick off your launch with comms When the big day arrives, make sure that the entire company gets an official communication
marking the MFA launch. Work with your executive sponsor, security team, or CISO to send the
announcement so everyone understands the importance of the initiative.
Have your support team on Even with proactive advance change management activities, some users may have trouble
standby registering verification methods or authenticating with MFA. To help users resolve problems
quickly, make sure your support team is staffed to address MFA-related calls and cases.
Provide direct support for launch Put any special support logistics that you planned for launch day into motion. For example:
day issues • Staff an onsite help center or office hours so users can get in-person assistance.
• Have an SOS process for execs and business users who need priority help.
Make it an event! While the serious stuff is important, why not inject a little fun and excitement into the rollout
by turning your launch day into an event? Here are some ideas:
• Have a raffle with prizes, such as gift cards, a free day off, or lunch with an executive.
37
How to Roll Out Multi-Factor Authentication Manage Phase: Maintain and Enhance Multi-Factor
Authentication
• Host a launch party with cupcakes.

• Hand out swag or branded items.
• Hold a contest where the first number of users who successfully log in with MFA receive a
prize. Congratulate the winners in a public company forum. People are motivated by
recognition and prizes, no matter how small or inexpensive!
SEE ALSO:
Manage Phase: Maintain and Enhance Multi-Factor Authentication

Congratulations, you’ve enabled multi-factor authentication (MFA) for your Salesforce users! But don’t just “set it and forget it.” Make
sure that your project is a success by keeping an eye on how everyone is experiencing MFA. In this phase, measure the effectiveness of
your MFA rollout, and support users with ongoing, day-to-day operations. This is also a good time to look for ways to optimize your MFA
implementation, as well as your overall security posture.
Measure the Success of Your Multi-Factor Authentication Rollout

After rolling out multi-factor authentication (MFA), verify that you’re getting traction with users and hitting your goals. Collect
feedback to see what’s working and what’s not. And monitor metrics on usage patterns, and how well MFA is reducing risk, to
understand the health of your implementation.
Turning on multi-factor authentication (MFA) introduces some new admin responsibilities to support users and maintain operations.
Depending on your support plan, you may be sharing some or all of these activities with a support team, such as your help desk or
an outside service.
Optimize Your Multi-Factor Authentication Implementation...and More
When you’ve finished rolling out multi-factor authentication (MFA) to all of your Salesforce users, consider if there are enhancements
that you can make to your MFA implementation, and to overall Salesforce security.
Measure the Success of Your Multi-Factor Authentication Rollout

After rolling out multi-factor authentication (MFA), verify that you’re getting traction with users and hitting your goals. Collect feedback
to see what’s working and what’s not. And monitor metrics on usage patterns, and how well MFA is reducing risk, to understand the
health of your implementation.
Get User Feedback on Your MFA Implementation

Check in with your Salesforce users periodically to learn how things are going. Gauge overall satisfaction and learn about specific
pain points. The insights gained from talking to your users are helpful in showing you where you can refine the MFA experience,
particularly as you onboard new users to your company.
Monitor and Analyze MFA Usage
Monitor multi-factor authentication (MFA) usage patterns and metrics to get a full understanding of common problems that users
are experiencing. Use this data to assess options for improving things.
38
How to Roll Out Multi-Factor Authentication Measure the Success of Your Multi-Factor Authentication
Rollout

Check in with your Salesforce users periodically to learn how things are going. Gauge overall satisfaction and learn about specific pain
points. The insights gained from talking to your users are helpful in showing you where you can refine the MFA experience, particularly
as you onboard new users to your company.
Here are some ideas for collecting feedback.
Polls Conduct polls. For example, create an informal Chatter poll or use an online poll app to ask specific
questions.
Surveys Use a survey app to deliver a formal, written survey that measures satisfaction and problem areas.
Focus Groups Schedule focus groups to hold conversations with key users and teams.
Q & A Sessions Host open “question and answer” sessions to hear concerns about any impacts from your MFA
policies.

Monitor multi-factor authentication (MFA) usage patterns and metrics to get a full understanding of common problems that users are
experiencing. Use this data to assess options for improving things.
Here are some things to keep track of.
• Check support tickets and logs to track failed login attempts and problems users are having registering verification methods. Also
keep track of the volume of requests for temporary verification codes.
• Look for gaps in user training or your onboarding materials that may have resulted in users misconfiguring or misusing verification
methods.
• Monitor and analyze MFA usage patterns. For example, is it taking users more time to log in than before? Is it taking multiple tries
to log in successfully? If so, can you see patterns that show some verification methods are working better for users than others? Are
users giving up or not logging in to Salesforce as frequently as before you rolled out MFA?
Depending on your Salesforce product, we have tools that you can use to monitor MFA usage.
• For Products built on the Salesforce Platform (including Sales Cloud and Service Cloud)
• For Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
SEE ALSO:
Monitor MFA Usage for Products Built on the Salesforce Platform

There are several tools that you can use to monitor and report on multi-factor authentication (MFA) usage patterns in your org. Options
include the Lightning Usage App, a comprehensive MFA dashboard from Salesforce Labs, and using list views and the out-of-the-box
Identity Verification Methods report.
39
How to Roll Out Multi-Factor Authentication Measure the Success of Your Multi-Factor Authentication
Rollout
Lightning Usage App

Use the Login Metrics tab in the Lightning Usage App to monitor logins in your org. You can track how many users are logging in with
your org’s various identity services, including Multi-Factor Authentication (MFA) and Single Sign-On (SSO). For full details, see Monitor
Logins with the Lightning Usage App on page 40.
MFA Dashboard App from Salesforce Labs

The Multi-Factor Authentication Dashboard from Salesforce Labs is a great option for monitoring and reporting on MFA usage patterns
after you go live. This app is free of charge. You can download and install the package from Salesforce AppExchange.
Note: Prior to the Winter ‘21 release, this package was called Two-Factor Authentication Dashboard.
This package includes:

• MFA view: See who has registered MFA verification methods. You can also keep track of who has generated temporary verification
codes, and who has revoked any registered verification methods.
• Dashboards and reports: Audit MFA verification activities in your org, and track method registration progress.
After installing the package, select the Dashboards tab in Salesforce. Then open the MFA Dashboard folder and select the MFA
Dashboard.
MFA List Views and the Identity Verification Methods Report

You can use custom list views to see who has registered verification methods for MFA. In addition, the Identity Verification Methods
report in Setup monitors and audits your users’ identity verification attempts over the past six months. Use this report to understand
how and when your users are using MFA.
For full details, see See How Your Users Are Verifying Their Identity and Monitor Identity Verification History.
SEE ALSO:
Monitor Logins with the Lightning Usage App

Use the Login Metrics tab in the Lightning Usage App to monitor logins in your org. See how many users are logging in with your org’s
various identity services, including multi-factor authentication (MFA) and single sign-on (SSO).
If you’re implementing MFA in your org, you can use login metrics to see if users are or aren’t logging in with MFA. Monitoring multiple
login methods lets you spot trends, to detect any irregularities in logins or find out if users are still logging in without MFA.
To access the Lightning Usage App, from the App Launcher ( ), find and open Lightning Usage. From the app, click Login Metrics
under SECURITY on the left side of the page to view the associated data. The Login Metrics page shows login data for password-free,
single sign-on (SSO), and username and password login methods, with and without MFA, for the last 7 days and the last 3 months. For
more MFA and security resources, click any of the links below Multi-Factor Authentication (MFA) and General Security Actions.
• Password-free logins track certificate-based logins, Lightning logins, and passwordless logins.
• Single sign-on logins track Salesforce and third-party logins done via federated SSO, including the SAML and OpenID Connect open
standards.
• Delegated Authentication logins are tracked under the Username and Password login metric.
• Logins with MFA track only Salesforce MFA logins.
40
How to Roll Out Multi-Factor Authentication Support Your MFA Implementation
SEE ALSO:
Identify Your Users and Manage Access
Monitor MFA Usage for Marketing Cloud Engagement

When multi-factor authentication (MFA) is enabled for your Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
tenant, you can use the MFA Events log to keep track of all registration and verification attempts.
For full details, see View MFA Events in Marketing Cloud.

Turning on multi-factor authentication (MFA) introduces some new admin responsibilities to support users and maintain operations.
Depending on your support plan, you may be sharing some or all of these activities with a support team, such as your help desk or an
outside service.
Typical support and operational activities include:
• Troubleshooting and resolving login and authentication problems, including account lockouts.
• Helping users recover access if they’ve lost or forgotten their verification methods.
• Enabling MFA for new employees as part of your new hire onboarding process.
• Stocking and distributing security keys, if you’re supporting this type of verification method.
Access Recovery
Your options for assisting users if they forget or lose their usual verification methods depend on your Salesforce product.
Admin-Generated Temporary For some products, admins can generate temporary codes that allow users to log in
Verification Codes without a verification method. Here are the steps for the products that support this option:
on page 42
41
How to Roll Out Multi-Factor Authentication Support Your MFA Implementation
User-Generated Recovery Codes In some products, users can generate a list of ten single-use recovery codes that they can
keep in a safe place until needed. As part of your onboarding activities, ask your users to
generate recovery codes when they start using MFA. Here are the steps for the products
that have this option:
• Heroku
• Tableau Cloud
Reset MFA For MuleSoft Anypoint Platform, admins can reset MFA for a user who has lost or forgotten
their verification methods. The user is then prompted to register a new method the next
time they log in.
Note: If you’re the only admin for your product and you get locked out, contact Salesforce Customer Support.
SEE ALSO:
After MFA is enabled, access problems usually fall into two categories: the connection between a user's MFA verification method and
their Salesforce account isn't working or a user lost, replaced, or forgot their MFA verification method. Use temporary verification codes
to allow users to regain access immediately. When dealing with a broken connection or a missing verification method, revoke the
connection and help the user set up a new method.
Here are the recommended recovery steps for the most common MFA-related access issues.
User's Verification Method Isn't Working or Has Been Replaced

Use these access recovery steps if a user registered a verification method but it isn't working when they try to log in. These steps also
apply if a user needs to register a method because they have a new mobile device, security key, or computer with a built-in authentication
service.
• Issue the user a temporary verification code so they can log in while you resolve their issue. See Generate a Temporary Identity
Verification Code.
• Disconnect the user's existing verification method. See Disconnect a User’s Verification Method.
42
How to Roll Out Multi-Factor Authentication Optimize Your Multi-Factor Authentication
Implementation...and More
• Help the user re-register their verification method or set up a new method. See Register Verification Methods for Multi-Factor
Authentication.
• Expire the user's temporary verification code when it's no longer needed. See Expire a Temporary Verification Code.
User's Verification Method Is Lost or Stolen

• Remove the user’s current session and have the user reauthenticate. See User Sessions.
• Issue the user a temporary verification code so they can log in while you resolve their issue. See Generate a Temporary Identity
Verification Code.
• Disconnect the user's existing verification method. See Disconnect a User’s Verification Method.
• Audit the user’s account activity to see if there’s been any unusual activity. See How Your Users Are Verifying Their Identity.
• Walk the user through the process to acquire a replacement device. When they have it, help them re-register their verification method
or set up a new method. See Register Verification Methods for Multi-Factor Authentication.
User Forgot Their Verification Method

• Issue the user a temporary verification code so they can log in and do their work for the day. See Generate a Temporary Identity
Verification Code.
SEE ALSO:
Optimize Your Multi-Factor Authentication Implementation...and More

When you’ve finished rolling out multi-factor authentication (MFA) to all of your Salesforce users, consider if there are enhancements
that you can make to your MFA implementation, and to overall Salesforce security.
Refine the MFA User Experience

Plan periodic reviews of your multi-factor authentication (MFA) implementation to verify it’s still meeting your needs.
Review and Enhance Your Salesforce Security Strategy
Multi-factor authentication (MFA) is just one aspect of your overall Salesforce security strategy. To keep your customers safe and
your data protected, consider best practices, tools, and technology to improve on your existing defense-in-depth strategy.
Refine the MFA User Experience

Plan periodic reviews of your multi-factor authentication (MFA) implementation to verify it’s still meeting your needs.
Here are some recommendations.
• Review new verification method technology as it becomes available. Look for opportunities to streamline or improve the current
user experience.
• Maintain a company-wide commitment to keeping Salesforce account access secure.
• Continue user education with follow-up training sessions or office hours to reinforce the right behaviors.
43
How to Roll Out Multi-Factor Authentication Multi-Factor Authentication Glossary
Enable Lightning Login (for products built on the Salesforce Platform)

Enhance the MFA user experience by enabling Lightning Login. This feature gives users fast, convenient, and secure password-free
access to their Salesforce account. It meets the MFA standard by requiring Salesforce Authenticator (something a user has) and a PIN or
biometric scan on their mobile device (something the user is). See Enable Lightning Logins for Password-Free Logins.
Review and Enhance Your Salesforce Security Strategy

Multi-factor authentication (MFA) is just one aspect of your overall Salesforce security strategy. To keep your customers safe and your
data protected, consider best practices, tools, and technology to improve on your existing defense-in-depth strategy.
Enhance Login Security Implement controls like IP range restrictions for logins.
Consider Alternative Identity Single sign-on (SSO) is a great option for improving your users’ login experience. If your users
Security Solutions regularly access multiple apps in the course of their day, we suggest using an Identity Provider
(IdP) to enhance access security for all your applications, including Salesforce. With a
well-implemented SSO strategy, you can reduce password-related risks, improve authentication
processes, and make it easier for your users to log in to frequently-used applications.
To comply with the MFA requirement, enable MFA for your SSO identity provider.
Apply MFA to API Logins Apply the “least privilege” principle to your API users. It’s a common bad practice to give powerful
admin-level permissions to API users when really all that’s needed is access to relevant objects.
Audit the permissions that API users currently have, and see where you can eliminate unnecessary
privileges.
Consider if your API users also have access to the user interface. If that’s not necessary, limit
access to the API only.
If you use products built on the Salesforce Platform, you can use built-in tools to review your overall Salesforce security settings and find
ways to address any existing risks.
• Use Security Health Check to identify and fix risks in your security settings.
• Use Salesforce Shield to build a new level of trust, transparency, compliance, and governance directly into business-critical apps.
Multi-Factor Authentication Glossary

Familiarize yourself with common terminology related to multi-factor authentication (MFA) and the contractual MFA requirement.
Auto-Enable MFA
On a customer’s behalf, Salesforce turns on MFA for all users who log in directly to a Salesforce product’s UI. Users who weren’t
previously using MFA are prompted to register for it the next time they log in and can’t proceed until they do so. Users who were
already logging in with MFA aren’t affected. For some products, MFA will be auto-enabled several months prior to enforcement.
During this time, admins can temporarily disable MFA if their users aren’t ready for it yet. See also Enforce MFA and Register for MFA.
Authentication
The process of validating that a user is who they say they are before they’re allowed to log into an account, perform an action, or
access information.
44
Enable MFA
The action that customer admins take to turn on MFA for their org/tenant/realm. Depending on the Salesforce product, admins can
enable MFA at the org level, for groups of users, or on a user-by-user basis.
Enforce MFA
When Salesforce enforces MFA for a Salesforce product, it becomes a permanent part of the product’s login process. During
enforcement, Salesforce auto-enables MFA for all users who aren’t already using it for direct logins. At the same time, Salesforce
removes the option for all customer users, including admins, to disable MFA.
Least Privilege
The concept that a user should have the fewest number of permissions necessary to do their job — and nothing more. This limits
the risk of a user accessing information or performing an action that shouldn’t be allowed given their role, limits the impact of user
errors, and reduces the damage of compromised credentials in the event of an attack.
Multi-Factor Authentication (MFA)
A security measure used to increase protection for accessing user accounts. MFA requires users to present two or more pieces of
evidence — or factors — during login to prove they’re who they say they are. These pieces of evidence must fall into at least two
different categories (something a user knows, has, or is). A familiar example of MFA at work is the two factors needed to withdraw
money from an ATM. To withdraw funds, you must first present your ATM card (something you have), and then you must enter your
PIN (something you know). See also Verification Method.
Privileged User
Admins and users who have a high level of access to the application or sensitive data.
For products built on the Salesforce Platform, a privileged user is a Salesforce admin (defined as a user with both the Customize
Application and Modify All Data user permissions) or a user with any of these user permissions: Customize Application, Manage
Users, Modify All Data, or View All.
Register for MFA
The process each user goes through to connect a verification method to their account so they can use the method to verify their
identity when logging in. When MFA is enabled, users are required to register a method before they can log in. Users can register
multiple methods so they have backup options in case they lose or forget their primary method.
Security Keys
A physical device that electronically authenticates a person’s identity by storing and retrieving some sort of personal information.
Security keys come in many different form factors, including USB, Lightning, and NFC. Also referred to as a security token or
authentication token.
Strong Verification Method
Verification methods that are more resistant to cyberattacks, such as phishing and man-in-the-middle attacks. These types of methods
help provide high assurance that users accessing Salesforce products are who they say they are. See also Verification Method.
Time-Based One-Time Passwords (TOTP)
Single-use passcodes that can be used as a verification method to authenticate a user to their account. To make use of a TOTP, a
user must use a TOTP authenticator app, which generates the single-use passcodes. When a user is authenticating to their account,
the generator implements an algorithm to create a one-time passcode based on the current time. Once displayed to the user, this
password is valid for a limited time until it expires, at which time it is no longer valid for login and the user must request a new
password.
Two-Factor Authentication (2FA)
A subset of multi-factor authentication (MFA) that requires only two factors to log in. Both 2FA and MFA protect against unauthorized
access by requiring a user to provide multiple factors to verify their identity. The difference between them is the number of factors
that are needed to log in. While some MFA solutions may require three, four, or more combinations of factors, 2FA requires only
two.
45
Verification Method
A piece of evidence that a user presents when logging in to verify their identity. Also referred to as a factor or authentication factor.
Salesforce products support several types of verification methods, including Salesforce Authenticator, third-party TOTP authenticator
apps (such as Google Authenticator or Authy), physical security keys, and built-in authenticators (such as Windows Hello, TouchID,
or FaceID). See also Strong Verification Method.
46
INDEX
B S
built-in authenticators 12 security keys 11
M T
MFA Rollout Pack 6 third-party authenticator apps 10
Multi-factor authentication 2–3, 6–8, 10–13, 18–19, 21–25, 27– TOTP authenticator apps 10
28, 30–44 Two-factor authentication 2–3, 6–8, 10–13, 18–19, 21–25, 27–
Multi-Factor Authentication Assistant 3 28, 30–44
47

How To Roll Out Multi-Factor Authentication: Salesforce, Spring '24

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Roll Out Multi-Factor Authentication: Salesforce, Spring '24

Uploaded by

Copyright:

Available Formats

How to Roll Out Multi-Factor

Last updated: March 22, 2024

How to Roll Out Multi-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

It’s Time for Multi-Factor Authentication

It’s Time for Multi-Factor Authentication

A Framework for Rolling Out and Supporting MFA

A Framework for Rolling Out and Supporting MFA

Meet the Multi-Factor Authentication Assistant

Available in: Essentials,

To use the Multi-Factor

Get Customizable Templates With the MFA Rollout Pack

• Guide to developing a change management strategy plus supporting templates.

Get Ready Phase: Evaluate and Plan Your Multi-Factor Authentication

Learn About Multi-Factor Authentication

Learn About Multi-Factor Authentication

How MFA Works

Products That Support Multi-Factor Authentication

• B2C Commerce Cloud

Verification Methods for Multi-Factor Authentication

Form Factor: Form Factor: Form Factor: Form Factor:

Considerations: Considerations: Considerations: Considerations:

Learn More Learn More Learn More Learn More

Third-Party Authenticator Apps

Salesforce MFA Requirements for Third-Party Authenticator Apps

How Third-Party Authenticator Apps Work When Logging In

Behind the Scenes

Salesforce MFA Requirements for Security Keys

Salesforce products that support security keys: All products

Supported form factors: USB-A, USB-C, Lightning, NFC*

Supported security standards: FIDO2 WebAuthn and FIDO U2F

How Security Keys Work When Logging In

• Presses the key’s button to verify their identity.

Behind the Scenes

Salesforce MFA Requirements for Built-In Authenticators

• Built-in authenticators aren’t supported in non-Chromium versions of the Edge browser.

• Built-in authenticators aren't available for Experience Cloud sites.

How Built-In Authenticators Work When Logging In

Behind the Scenes

Evaluate Options and Requirements for Multi-Factor Authentication

Review the Authentication Solutions Currently in Place for Salesforce

Assess Org and User Readiness for MFA

Review the Authentication Solutions Currently in Place for Salesforce

Preview Multi-Factor Authentication

Pick Your Salesforce Champions

Prepare Your Champions

Enable MFA for Your Champions

Use Insights in the Planning Stage

Determine Business and User Requirements for MFA

Use Requirements to Define Your MFA Implementation

Conduct a User Inventory for Your MFA Implementation

A privileged user is:

Find Salesforce Admins with Salesforce Optimizer

Analyze by field Select Permission

Permission type field Select User

Permission field Select one of the privileged permissions:

Query Your Org’s Data

Assess Org and User Readiness for MFA

Make the Case for MFA

When covering the benefits of MFA, consider these points:

Plan Your Multi-Factor Authentication Rollout

• The roles and responsibilities of your project team.

Form Your MFA Project Team

Define an MFA Rollout Strategy