Professional Documents
Culture Documents
How To Roll Out Multi-Factor Authentication: Salesforce, Spring '24
How To Roll Out Multi-Factor Authentication: Salesforce, Spring '24
Authentication
Salesforce, Spring ’24
names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
HOW TO ROLL OUT MULTI-FACTOR AUTHENTICATION
Multi-factor authentication (MFA) is one of the simplest, most effective ways you can safeguard user account access. Because MFA is a
critical component of securing account access, Salesforce requires it for all users who log in to the user interface — either directly with
a username and password or via single sign-on (SSO). The contractual requirement to use MFA went into effect on February 1, 2022.
We make it easy with simple, innovative MFA solutions that provide a balance between strong security and user convenience.
Important: For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ. Note that MFA is a
default part of the direct login experience for all production orgs created on or after April 8, 2024 — see this release note for more
information.
As an admin, you are your company’s trusted advisor for all things Salesforce and you help decide how to prepare for and roll out MFA
to your users. This guide walks you through the recommended process, including key steps and best practices.
Note: The focus of this guide is enabling MFA for users who log in directly to your Salesforce products with a username and
password. This content doesn’t apply to setting up MFA for single sign-on (SSO) identity providers, API logins, or for your partners
or customers who engage with you through Salesforce Experience Cloud sites or ecommerce sites.
SEE ALSO:
Products That Support Multi-Factor Authentication
1
How to Roll Out Multi-Factor Authentication It’s Time for Multi-Factor Authentication
Important: To help prevent unauthorized access to Salesforce accounts, customers are required to use multi-factor authentication
(MFA) when logging in — either directly with a username and password or via single sign-on (SSO). See the Salesforce Multi-Factor
Authentication FAQ for full details about this contractual requirement.
MFA is a default part of the direct login experience for all production orgs created on or after April 8, 2024. See this release note
for more information.
SEE ALSO:
Learn About Multi-Factor Authentication
Get Ready • Learn why Salesforce requires MFA for enhanced login security, what your options for enabling it are,
and how your company benefits.
• Evaluate your business and user requirements and align them with the MFA options for your Salesforce
products to start defining your implementation strategy.
• Plan your MFA implementation, including rollout, change management, and support strategies, so
that you’re ready to hit the ground running.
2
How to Roll Out Multi-Factor Authentication Meet the Multi-Factor Authentication Assistant
Roll Out • Prepare users for the MFA rollout by putting your change management strategy into action.
• Implement MFA by kicking off your implementation and test plan, including establishing your MFA
support processes and team.
• Launch MFA to users on your scheduled go-live date.
Manage • Measure the effectiveness of your MFA rollout through user feedback and metrics.
• Support users with ongoing, day-to-day operations.
• Optimize your MFA implementation and your overall security posture.
Depending on the size of your organization, you may be working with a change management team or have a project manager assigned
to this rollout. Or, maybe you’re the one charged with organizing and executing the project from start to finish. However the work gets
divided up, use this guide to you help along the way.
USER PERMISSIONS
3
How to Roll Out Multi-Factor Authentication Meet the Multi-Factor Authentication Assistant
The Multi-Factor Authentication Assistant guides you through each phase and stage on the path to MFA.
• Get Ready phase: Kick off your multi-factor authentication (MFA) project with a discovery and planning period.
• Roll Out phase: Prepare your users for MFA with change management activities, work through your implementation and test plans,
then go live.
• Manage phase: Measure the effectiveness of your MFA rollout, support users with ongoing, day-to-day operations, and optimize
your MFA implementation and overall security posture.
In each phase, you get support with step-by-step instructions and resources. Activities are grouped into a series of stages that keep you
organized and help you track your progress. To see the recommended activities in a stage, click the icon.
4
How to Roll Out Multi-Factor Authentication Meet the Multi-Factor Authentication Assistant
The Assistant helps you keep track of the work you’ve finished and where you’ve left off by allowing you to check off steps that you’ve
completed (1). The Assistant shows when you’ve completed all steps in a stage (2).
5
How to Roll Out Multi-Factor Authentication Get Customizable Templates With the MFA Rollout Pack
The Multi-Factor Authentication Assistant is designed to move you quickly and efficiently through the process. But you can tackle activities
in whatever order makes sense for your org. And you can skip any steps that aren’t relevant or don’t add value to your project. If you
take an iterative approach to rolling out MFA, you can repeat activities until you’ve enabled all users.
SEE ALSO:
A Framework for Rolling Out and Supporting MFA
6
How to Roll Out Multi-Factor Authentication Get Ready Phase: Evaluate and Plan Your Multi-Factor
Authentication Rollout
What’s included:
• Presentation deck, to help make the case for MFA and get alignment with your stakeholders and leadership.
• User inventory template and guidance, for auditing the permissions assigned to your users and identifying the users who should
get MFA first.
• Sample email drip campaign, for raising awareness about the coming launch and promoting the value of MFA.
• User training deck, for training your users on what MFA is, how it works, and how to register and log in with supported verification
methods.
• Onboarding guides that show users the steps for registering and logging in with each of the MFA verification methods that are
supported by Salesforce products.
The pack also includes resources for planning your rollout, including a checklist to keep you on track, a project schedule template, and
a simple test plan template.
The MFA Rollout Pack is a zip file that you can download here.
7
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication
Watch a video
To see the types of methods that are supported for your Salesforce product, see Verification Methods for Multi-Factor Authentication
You can deploy as many types of methods as needed to meet your business and users’ requirements.
Each user must spend a few minutes registering at least one verification method so it’s connected to their Salesforce account. Users can
register methods at any time. If a user doesn’t have a method ready by the time MFA is enabled, they’re automatically prompted to
register one the next time they log in. On-screen prompts guide users through the process.
Tip: Encourage users to register multiple verification methods to avoid the risk of getting locked out of Salesforce. If a user forgets
or loses one method, they have other options to fall back on.
SEE ALSO:
Products That Support Multi-Factor Authentication
It’s Time for Multi-Factor Authentication
Multi-Factor Authentication Quick Guide for Admins
Multi-Factor Authentication FAQ
Trailblazer Community Group: MFA - Getting Started
8
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication
– Salesforce Essentials
– Salesforce Field Service
– Partner solutions
Important: To satisfy the contractual MFA requirement that went into effect on February 1, 2022, users can log in with any of
the strong verification methods supported by your Salesforce products.
Salesforce MFA doesn’t allow the use of security questions or one-time passcodes delivered via email, SMS text messages, or phone
calls. This restriction is due to the inherent vulnerabilities with these methods. Email credentials can be compromised and mobile
phone numbers can be intercepted via SIM swapping attacks or hacked mobile device accounts.
If you have users who access Salesforce products with single sign-on (SSO), your SSO provider’s MFA services may support methods
that aren’t discussed here. See the MFA FAQ for guidance on verification methods that satisfy the MFA requirement.
Let’s look at the benefits and considerations for each type of verification method supported by Salesforce products.
Third-Party Authenticator * *
Salesforce Authenticator Security Keys Built-In Authenticators
Apps
A smart and simple mobile app Apps generate unique, Physical devices that use Verify identity with fingerprint,
that users can easily connect to temporary verification codes public-key cryptography. iris, or facial recognition scan, or
their Salesforce accounts. based on the OATH TOTP a PIN or password.
algorithm (specified in RFC
6238).
9
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication
Third-Party Authenticator * *
Salesforce Authenticator Security Keys Built-In Authenticators
Apps
User Experience: User Experience: User Experience: User Experience:
*
• Delivers push notifications • A wide variety of apps to • Fast and easy to use. • Fast and easy to use.
to users’ phones for fast choose from. • Recognizes and denies • No apps required.
access. • Connectivity isn’t required. fraudulent requests. • Strong public-key
• See real-time details to • Connectivity isn’t required. cryptography that’s unique
confirm request validity. to the user’s account.
• No batteries needed.
• Deny fraudulent requests
with a tap.
• Automates authentication
from trusted locations
• Generates TOTP codes if
connectivity isn’t available.
Cost: Free Cost: Free and paid options Cost: Starts around $20 Cost: Starts around $25 for
biometric peripherals, if needed
*
Notes:
Security keys that use the NFC form factor aren’t supported in products built on the Salesforce Platform.
WebAuthn-compatible security keys aren’t supported in non-Chromium versions of the Edge browser.
If you use a U2F security key with products built on the Salesforce Platform, see Update U2F Security Keys to Support WebAuthn Authentication to ensure your key continues to
work.
Built-in authenticators are supported in all products built on the Salesforce Platform, Heroku, Marketing Cloud Intelligence, MuleSoft Anypoint Platform, and Tableau Cloud.
If you can’t use a mobile authenticator app, a TOTP desktop authenticator app or browser extension is another option.
10
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication
Note: Considering a TOTP desktop app or browser extensions? We recommend using mobile authenticator apps, physical security
keys, or built-in authenticators instead. Why? Because these types of verification methods exist separately from a user's laptop or
workstation. That way, if a bad actor manages to gain access to a user's computer, the user's second factor isn't also compromised.
However, if a desktop app or browser extension is the only option that works for your users, you can satisfy the MFA requirement
with these types of methods.
Tip: If users have already installed a TOTP app for personal or business use, they can set up the same app for Salesforce logins.
SEE ALSO:
Register a Third-Party Authenticator App as an Identity Verification Method
Security Keys
Security keys are small physical devices that are easy to use for multi-factor authentication (MFA) because there’s nothing to install and
no codes to enter. This type of method is a great option if users don’t have a mobile device or if phones aren’t allowed where your users
work. Security keys require a supported browser to act as an intermediary between the key and your Salesforce product. Popular security
keys include the YubiKey™ from Yubico™ and the Titan™ Security Key from Google™.
Supported browsers for WebAuthn keys: Chrome, Edge Chromium, Firefox, Safari
Supported browsers for U2F keys: Chrome (version 41 or later), Edge Chromium
11
How to Roll Out Multi-Factor Authentication Learn About Multi-Factor Authentication
Considerations
*
NFC devices aren’t supported in products built on the Salesforce Platform.
SEE ALSO:
Register a Security Key as an Identity Verification Method
Summer ’23 Release Notes: Update U2F Security Keys to Support WebAuthn Authentication
Built-In Authenticators
Multi-factor authentication (MFA) verification is easy with a built-in authenticator service such as Windows Hello™, Touch ID®, or Face
ID®. Users can quickly verify their identity with a fingerprint, iris, or facial recognition scan (or in some cases, with a PIN or password that
the user sets up in their device’s operating system). This type of verification method streamlines the MFA requirement because it relies
on built-in mechanisms rather than users needing a separate authenticator app or physical security key.
Tip: Built-in authenticators are a great option if using a mobile authenticator app isn’t viable. For example, consider this option
for users who don’t have a company-provided mobile device. And built-in authenticators can make sense for PCI-compliant
environments or situations where a user’s work device doesn’t have ports for a physical security key.
• To use biometric authentication, a device must include a fingerprint, iris, or facial recognition scanner supported by the built-in
authenticator service.
• Before registering this type of verifier for MFA, the user's built-in authenticator service must be enabled and set up to verify their
identity via a biometric, PIN, or password.
• Built-in authenticators can't be used when logging in to the Salesforce mobile app.
• Users accessing Salesforce through an API can't verify their identity with a built-in authenticator.
Note: This type of verification method is tied to a user’s specific device. If a user logs in from multiple computers (for example, a
desktop workstation and a laptop), they must register a built-in authenticator on each system. If built-in authenticators aren’t
supported on all of a user’s systems, it’s recommended that they also register an alternate verification method.
To learn more, see FIDO2: Web Authentication (WebAuthn) or the documentation for your users' built-in authenticators.
12
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
SEE ALSO:
Register a Third-Party Authenticator App as an Identity Verification Method
13
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
14
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
Tip: Want to see if your current or planned MFA implementation satisfies the MFA requirement that went into effect February 1,
2022? Check out the MFA Requirement Checker on the MFA for Salesforce customer site.
Keep in mind that MFA is sometimes confused with a feature called Identity Verification (or Device Activation). With this feature, users
are required to provide a verification method if they access Salesforce from an unrecognized browser or device. But MFA offers better
protection because it requires users to provide a strong verification method every time they log in.
15
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
SSO is a great option for improving your users’ login experience and it also reduces some of the risks associated with weak or reused
passwords. But on its own, SSO doesn’t provide the protection that you get with MFA. An SSO implementation that relies on user
credentials alone can leave user accounts vulnerable to common attacks such as phishing or credential stuffing. If you currently use SSO
for Salesforce logins, ensure that MFA is enabled for all your Salesforce users:
• For products built on the Salesforce Platform, use the MFA functionality provided in Salesforce or use your SSO provider’s MFA service.
• For all other Salesforce products, use your SSO provider’s MFA service.
The best all-around option for satisfying the MFA requirement is to combine MFA and SSO, so you can deliver the enhanced security of
MFA along with the convenience and ease-of-use of SSO.
SEE ALSO:
Use Salesforce MFA for SSO
16
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
Get Feedback
Talk to your champions about their experience. Did they understand how to register a verification method for MFA? Are they comfortable
using their registered method when they log in? How do they feel about the change to the login process?
SEE ALSO:
Get Customizable Templates With the MFA Rollout Pack
Existing Authentication Solutions Does your company use an existing MFA solution, like Okta or Duo, for other systems? If your
Salesforce users are already using MFA to log in to other applications, see if you can integrate
your Salesforce products with the same solution. Doing so can reduce your timeline and costs
for implementing MFA. And it can minimize friction and change management needs because
users are already trained for MFA logins.
Are your Salesforce products integrated with an SSO solution? If you use SSO for Salesforce
logins, ensure that MFA is enabled for all your Salesforce users.
• For products built on the Salesforce Platform, use the MFA functionality provided in
Salesforce or use your SSO provider’s MFA service.
• For all other Salesforce products, use your SSO provider’s MFA service.
Security Requirements Work with your security and IT teams to understand how MFA aligns with your company’s
security objectives and requirements. Understand if any enterprise mandates are in place,
and what kinds of application testing or evaluation processes you must follow.
Legal and Regulatory Requirements What are your company’s legal commitments to customers and other stakeholders around
how your users authenticate to your systems?
Also consider local and other regulatory requirements and how they can impact your MFA
implementation. For example, some regulatory requirements include restrictions on
downloading applications to certain devices.
Compliance Requirements What kinds of audit requirements does an MFA implementation affect or trigger? Are you
beginning any new compliance regimes in the next 12 months that your MFA project can
affect?
17
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
Device Requirements Consider if your industry’s or company’s mobile device policies place any constraints on your
MFA implementation. For example, does a mobile app-based solution work or must you
provide your users with physical security keys?
If mobile apps are an option, does your company provide corporate devices? Or must you
integrate MFA data usage and reimbursement guidelines into your Bring Your Own Device
(BYOD) policy?
User Considerations Understand how MFA can impact the various roles and teams at your company. For example:
• Do any of your users travel or work from locations with limited connectivity?
• Do you have any users, such as third-party call center agents or employees with accessibility
requirements, who have special requirements or restrictions regarding verification
methods?
• Which verification methods are the least intrusive to your users’ workflow?
We recommend supporting multiple verification methods in your implementation, so each
person can choose the option that works best for them.
Budget Considerations It’s useful to factor in the cost of doing an MFA implementation, as well as the budget needed
for post-rollout operational and user support functions.
Salesforce products provide MFA at no extra cost, and the Salesforce Authenticator app is
free. But if a mobile app option doesn’t work for some or all users, account for the expense
to purchase and distribute security keys.
Tip: You can standardize on one type of method that everyone uses, or you can support multiple options and let users choose.
Consider the tradeoffs when deciding the approach to take. When everyone uses the same method, it simplifies your onboarding
and day-to-day administration responsibilities. But letting users pick what works best for them eliminates the need for a
one-size-fits-all solution. And it’s easier to meet all of your requirements. Plus, users are less likely to get locked out of Salesforce
if they can set up multiple verification methods for themselves.
SEE ALSO:
Plan Your Multi-Factor Authentication Rollout
Verification Methods for Multi-Factor Authentication
Use Salesforce MFA for SSO
18
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
• Identify all of your privileged users, including Salesforce admins and users who have a high level of access to the application or
sensitive data. These users are your top priority when rolling out MFA because their accounts pose the highest risk should they be
compromised.
• Decide on logical groups of users if you’re planning to role out MFA in phases.
• Evaluate how well you’re applying the principle of “least privilege” to your user accounts. As a security best practice, limit users to
the minimum set of permissions needed to do their jobs. This way, if an attacker gains access to an account, there’s less risk to your
environment. A user inventory shows where you can dial back permissions to reduce the number of privileged users. We recommend
doing this exercise on a quarterly basis. If it’s been awhile, your MFA project is a great reason to schedule a review now.
Tip: Get a user inventory template from the downloadable MFA Rollout Pack.
SEE ALSO:
Identify Your Privileged Users for Products Built on the Salesforce Platform
Plan Your Multi-Factor Authentication Rollout
Identify Your Privileged Users for Products Built on the Salesforce Platform
As you evaluate your org for multi-factor authentication (MFA), it’s useful to inventory your Salesforce users. This step helps you identify
who your privileged users are. It gives you the data for planning a phased rollout, and provides insight into the level of effort for your
project. Salesforce admins and other privileged users are your top priority when rolling out MFA. There are several tools you can use to
inventory your user base.
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud—Audience Studio, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products
(Consumer Goods Cloud, Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and
Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
Tip: To understand the benefits of this exercise, see Conduct a User Inventory for Your MFA Implementation.
Get a user inventory template from the downloadable MFA Rollout Pack.
There are a few tools you can use to identify admins and other privileged users in your org.
• Salesforce Optimizer
• Profile and Permission Set Helper from Salesforce AppExchange
• Query profile and permission set objects
19
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
Find All Privileged Users with Profile and Permission Set Helper
Use the Profile and Permission Set Helper tool from AppExchange to identify all of the privileged users in your org. The tool searches
your org’s profiles and permission sets for a specific user permission, then displays all users who have the permission.
Download and install the Profile and Permission Set Helper package from AppExchange. Select Permission Set Helper from App
Launcher. Click the Permissions Analyzer tab. Make these settings in the sidebar:
The app displays all users who have been assigned the selected permission, either through a permission set or their profile.
Repeat these steps to search for each of the privileged user permissions.
To run a query for all users who are assigned any of the four privileged permissions via permission sets:
SELECT Assignee.Id, Assignee.Username, Assignee.Profile.Name, PermissionSet.Label,
PermissionSet.PermissionsCustomizeApplication,
PermissionSet.PermissionsModifyAllData, PermissionSet.PermissionsManageUsers,
PermissionSet.PermissionsViewAllData
FROM PermissionSetAssignment
WHERE Assignee.IsActive = true AND PermissionSet.IsOwnedByProfile=false AND
(PermissionSet.PermissionsModifyAllData=true
20
How to Roll Out Multi-Factor Authentication Evaluate Options and Requirements for Multi-Factor
Authentication
OR PermissionSet.PermissionsCustomizeApplication=true
OR PermissionSet.PermissionsManageUsers=true)
Important: Make sure to resolve any shared accounts or credentials that are in use before enabling MFA. While Salesforce policy
prohibits sharing user credentials, it does happen. But this practice is incompatible with MFA because each user must connect a
unique verification method to their Salesforce account before they can log in. If multiple users are sharing a single account, only
one person will be able to log in to that account after MFA is enabled.
If you need help with setting up unique accounts for each person who accesses Salesforce, contact your Account Executive or
Sales team. Or refer to Salesforce Checkout and Self Service to Manage your Account.
Tip: Salesforce commissioned Forrester Consulting to conduct the Total Economic Impact™ of Multi-Factor Authentication from
Salesforce study to help customers understand the benefits of adopting MFA. Use this study to educate your leadership and
stakeholders on how MFA can add value to your business’ bottom line. Want a teaser? An organization can achieve up to 164%
return on their MFA investment over 3 years, with a payback in less than 6 months!
21
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
Data Protection MFA helps protect your highly valuable Salesforce data by making it more difficult for
attackers to compromise user credentials.
Customer Security As a steward for your customers’ data, employing strong security controls like MFA helps
reduce the risk of downstream impact to their businesses. You can provide assurances
to customers about your security posture.
Security Best Practice With MFA, you’re aligning to a common industry trend that is globally recognized as a
best practice for minimizing security risk.
Corporate Responsibility As your business evolves, you have a responsibility to your customers, shareholders, and
employees to protect your products, information, and business.
Business Value Translate IT benefits like “improved security” into business value by showing how MFA
can improve customer confidence, protect your company’s reputation, avoid site or
application downtime, and ward off costs and liability associated with a data breach.
It’s also valuable if you can demonstrate how MFA can help achieve other business priorities or goals. For example:
Legal Requirements Do you have authentication, user security, or data loss requirements that govern your
business, your commitments to customers who inherit your security, or your
commitments to shareholders? MFA can be an effective way to meet them.
Compliance Requirements Your organization probably operates under some kind of audit structures, many of which
include authentication requirements. You probably also have security policies that you
must follow, which could be met through MFA.
Future and Evolving Requirements Consider your business objectives in the next 12 months. Are you planning on expanding
business to new customer segments or markets that require increased security? Is there
a change planned that would benefit from MFA?
Also consider your security goals. Does an MFA implementation help you meet any
current or emerging enterprise security mandates? MFA is likely a strong mitigation
option for emerging risks, or a solution for planned security goals.
Tip: For help with making the case, check out the customizable MFA presentation deck that’s included in the downloadable MFA
Rollout Pack.
SEE ALSO:
Determine Business and User Requirements for MFA
Plan Your Multi-Factor Authentication Rollout
22
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
Tip: For help with planning your MFA rollout, check out the customizable templates and guidance in the downloadable MFA
Rollout Pack.
Tip: Involve the right stakeholders early and often to make sure that you’re covering all the bases.
To help with defining and implementing your strategy and project plan, consider these team members:
• Key business users to act as champions and provide the “voice of your customer”
• Salesforce administrators
• Security and IT partners
• Change management leads
• Reporting leads
• Product, engineering, and technical writing leads
Note: The guidance in this topic doesn’t apply to single sign-on (SSO) logins, API logins, or to setting up an MFA requirement for
customers who access your Salesforce Experience Cloud sites or ecommerce sites.
23
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
gaps in resources or support so your official launch goes smoothly. You can focus your pilot on admin users, or go for a cross-section of
users across teams to verify that things work well for all audiences.
SEE ALSO:
Determine Business and User Requirements for MFA
Assess Org and User Readiness for MFA
Conduct a User Inventory for Your MFA Implementation
Preview Multi-Factor Authentication
Tip: For help with developing a change management plan, check out the downloadable MFA Rollout Pack. It provides a detailed
change management guide, plus a variety of change management templates to help with communication, marketing, training,
and onboarding.
24
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
Communications and Campaigns Promote awareness and help users feel safe and protected rather than inconvenienced.
Training and Onboarding Make it clear to users what they must do, when they must do it, and how they can get help if they
Resources get stuck.
Launch Day Support Prepare your support team to assist users with launch day issues and troubleshooting.
Success Metrics Define how to measure the success of your MFA project. Work with your leadership and
stakeholders to determine the metrics for gauging how well user adoption is going.
SEE ALSO:
Prepare Your Users for Multi-Factor Authentication
Support Team Figure out who owns day-to-day operations, such as your help desk or a third-party service
provider. Identify the right contacts on the support team and invite them to provide input into
your project plan.
Policies and Processes Define and document how your support team handles common issues, such as:
• Solving login problems, including failed authentication attempts and account lockouts.
• Helping users recover access if they forget or lose their verification method, get a new method,
or a registered method stops working.
• Enabling MFA for new users.
Update your user onboarding procedures so new hires have MFA enabled on their first day.
Ensure that MFA registration assistance is included in your new employee onboarding
processes.
25
How to Roll Out Multi-Factor Authentication Plan Your Multi-Factor Authentication Rollout
Training Decide how to impart MFA knowledge to your Support team. Consider holding a training session.
Prioritize creating the documentation that’s necessary for Support agents to troubleshoot and
resolve user problems.
Operational Budget Establish a budget for managing your MFA implementation. Plan for the possibility of a higher
volume of Support cases in the first few weeks after launching MFA.
If you’re using security keys, account for the cost of maintaining a supply of these devices, and
distributing replacement keys to users.
Tip: Make your recovery process easy and blame-free so users feel safe to immediately report a lost device or verification method.
• In addition to yourself, ensure there's at least one other trusted user who has permission to manage users and MFA settings (including
the Manage Multi-Factor Authentication in User Interface user permission). This way, if you get locked out, the other user can restore
your access.
SEE ALSO:
Get Ready to Support Your MFA Implementation
Support Your MFA Implementation
Recover Access for MFA-Enabled Users for Products Built on the Salesforce Platform
Delegate Multi-Factor Authentication Management Tasks
26
How to Roll Out Multi-Factor Authentication Roll Out Phase: Prepare to Launch Multi-Factor Authentication
Project schedule Pick your launch date (or dates, if you’re rolling out in phases). Then establish a schedule for your MFA
project. Include milestones for distributing verification methods and onboarding documentation to
users.
Check your Salesforce roadmap to avoid launching at the same time as any projects that could compete
with your rollout. Work with your leadership to clear roadblocks, such as non-Salesforce projects that
could steal focus or resources.
Supported verification Choose the verification methods that you plan to support in your implementation. Document the
methods process and timeline for distributing these methods to your users.
If you’re supporting physical security keys, allow adequate time before your launch date for users to
receive their keys.
Enablement steps and Define how to resolve any dependencies, prerequisites, or blockers that you identified during the
requirements evaluation stage of your project.
Document the steps to turn on MFA for users. See Enable MFA for Users on page 35 for details.
Waive MFA for exempt user Some user types are exempt from needing to use MFA. Most of these cases are automatically excluded
types (for products built on the when auto-enablement and enforcement occur. But there are a few exempt user types that must be
Salesforce Platform) manually excluded by a Salesforce admin. This should be done before MFA is enabled for your org. See
Exclude Exempt Users from MFA for details.
Test plan and acceptance Establish acceptance criteria and document how to test your MFA implementation.
criteria We recommend executing the enablement steps in your plan. Then complete the registration flow
for each verification method to make sure you can successfully connect to a Salesforce account and
log in.
Use a test environment or account to avoid the possibility of locking anyone out of your production
environment. If a test environment isn’t available, we recommend enabling MFA for a test user or a
non-critical role in your production environment. Then run through the testing steps. Get a test plan
template from the downloadable MFA Rollout Pack.
It’s also a good idea to verify that your recovery process works as expected. Run through the process
that you defined in the MFA support plan.
SEE ALSO:
Determine Business and User Requirements for MFA
27
How to Roll Out Multi-Factor Authentication Prepare Your Users for Multi-Factor Authentication
Tip: For help with these activities, check out the downloadable MFA Rollout Pack. It includes customizable templates to help you
run an email campaign, train users on MFA, and support them on your launch day with onboarding templates.
Communication Forum Create a central place, such as a Slack channel or Chatter group, for announcements, questions
and answers, and peer collaboration. This is also a great place to share regular updates on your
launch schedule.
Marketing Campaigns Build awareness by running a week-long email campaign that sells users on the value of MFA
and provides tips and tricks so they’re ready for your launch day. This is also a great channel for
explaining how to register verification methods and log in with MFA.
Visual Reminders Reinforce awareness by putting posters in hallways and break rooms. Develop a theme or catch
phrase that engages and empowers users — something like “Security Starts With You!” or “Turn
28
How to Roll Out Multi-Factor Authentication Prepare Your Users for Multi-Factor Authentication
the Lock All the Way With MFA.” Do you have a creative side? Consider ways to make the posters
pop with color or eye-catching imagery.
Tip: Include external users who access your Salesforce environment, such as partners, contractors, and call center services, in all
communications and campaigns.
On-Demand Training Create resources, such as a video, that users can access on their own time. Or, ask users to
complete the User Authentication module in Trailhead.
In-Person Training Set up real-time training opportunities, like webinars or lunch-and-learn sessions.
29
How to Roll Out Multi-Factor Authentication Implement Multi-Factor Authentication
SEE ALSO:
Determine Your MFA Change Management Strategy
SEE ALSO:
Exclude Exempt Users from MFA
30
How to Roll Out Multi-Factor Authentication Implement Multi-Factor Authentication
• If you use B2C Commerce Cloud and you haven’t done so already, migrate Business Manager users to Account Manager. For
step-by-step help, see the Unified Authentication for Business Manager FAQ and B2C Commerce Unified Authentication for Business
Manager webinar recording.
Tip: If you conducted a user inventory and identified any users who have more permissions than they need, consider doing some
user management housecleaning. Removing unnecessary perms helps reduce security risks.
SEE ALSO:
Assess Org and User Readiness for MFA
Document MFA Policies and Create knowledge articles or other documentation that Support agents can use to resolve cases.
Processes We recommend addressing these subjects:
• Instructions for registering and signing in with verification methods
• Troubleshooting materials for connection issues, failed authentication attempts, and account
lockouts
• Recovery process for lost or stolen verification methods and helping users disconnect old
methods that have been replaced with new ones
• Resolving issues if the connection between a registered method and a user’s Salesforce
account stops working
Educate Support Agents Schedule webinar or in-person training sessions. Allow time for demos and Q&A.
Speed Up MFA Case Resolution If you’re using Salesforce to handle support inquiries, streamline responses to common issues
and questions by setting up quick text and macros, and organizing them in an MFA folder.
SEE ALSO:
Support Your MFA Implementation
Recover Access for MFA-Enabled Users for Products Built on the Salesforce Platform
Establish an MFA Support Plan
Exclude Exempt Users from MFA
31
How to Roll Out Multi-Factor Authentication Implement Multi-Factor Authentication
SEE ALSO:
Verification Methods for Multi-Factor Authentication
Tip: Get a customizable test plan template from the downloadable MFA Rollout Pack.
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products (Consumer Goods Cloud,
Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
You can use a sandbox environment, or sign up for a Developer Edition org.
To test verification methods, we recommend using a test user that doesn’t have admin permissions. Log in as the test user, then complete
the registration flow for each method and confirm that you can successfully connect to Salesforce and log in.
32
How to Roll Out Multi-Factor Authentication Implement Multi-Factor Authentication
Note: Avoid using your admin account for MFA testing so that you don’t inadvertently lock yourself out.
SEE ALSO:
Exclude Exempt Users from MFA
Multi-Factor Authentication Considerations for Sandbox Environments
Define Your MFA Implementation and Test Plan
Note: Avoid using your admin account for MFA testing so that you don’t inadvertently lock yourself out.
If you discover any problems that you can’t quickly resolve or work around, you can disable MFA for the role at any time.
SEE ALSO:
Define Your MFA Implementation and Test Plan
Note: Avoid using your admin account for MFA testing so that you don’t inadvertently lock yourself out.
If you discover any issues that you can’t quickly resolve or work around, you can disable MFA.
SEE ALSO:
Define Your MFA Implementation and Test Plan
33
How to Roll Out Multi-Factor Authentication Launch Multi-Factor Authentication
live. It’s a good idea for users to set up multiple verification methods so they don’t get locked out of their account if they forget or lose
one of their options.
Tip: Want to help your users with the registration process by providing onboarding help ahead of time? Check out the downloadable
MFA Rollout Pack. It provides customizable onboarding templates for each of the verification methods that are supported by
Salesforce products.
The registration steps vary slightly for each verification method. And the way a user starts the self-registration process depends on the
Salesforce product. Use these resources for step-by-step details.
• Products built on the Salesforce Platform (including Sales Cloud and Service Cloud)
• B2C Commerce Cloud
• Heroku
• Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
• Marketing Cloud Intelligence (powered by Datorama)
• Marketing Cloud Social
• MuleSoft Anypoint Platform
• Tableau Cloud
Note: If a user doesn’t have a method ready by the time MFA is turned on, they automatically go through the registration process
the next time they log in. On-screen prompts guide users through the steps.
Consider these guidelines as you prepare to distribute verification methods.
• Hold a few registration sessions or office hours before your launch day so users can get help if they need it.
• For authenticator apps:
– To ensure the security of mobile authenticator apps such as Salesforce Authenticator or Google Authenticator, require users to
set a PIN or biometric factor on their mobile device. (Note that mobile devices must be secured before users can register mobile
authenticator apps for B2C Commerce.)
SEE ALSO:
Verification Methods for Multi-Factor Authentication
Prepare Your Users for Multi-Factor Authentication
34
How to Roll Out Multi-Factor Authentication Launch Multi-Factor Authentication
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products (Consumer Goods Cloud,
Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
Important: To help prevent unauthorized access to Salesforce accounts, MFA is a default part of the direct login experience for
all production orgs created on or after April 8, 2024. See this release note for more information. For full details on the contractual
requirement to use MFA when accessing Salesforce, see the Salesforce Multi-Factor Authentication FAQ.
There are two methods for enabling MFA.
Tip: Want to see the process in action? Check out the Launch Multi-Factor Authentication for Salesforce video.
35
How to Roll Out Multi-Factor Authentication Launch Multi-Factor Authentication
There are a few user types that are exempt from the MFA requirement. Most are automatically excluded from MFA when you use the
MFA org setting. However, there are a few MFA-exempt user types that must be manually excluded, which should be completed before
using this option. To see if any of these user types exist in your org and to learn how to exclude them from MFA, see Exclude Exempt
Users from MFA.
• Ready to roll out MFA to everyone assigned to specific custom profiles? Add the MFA user permission to profiles to mass-enable
MFA for users.
SEE ALSO:
Enable MFA for Direct User Logins
Exclude Exempt Users from MFA
Register Verification Methods for Multi-Factor Authentication
SEE ALSO:
Register Verification Methods for Multi-Factor Authentication for B2C Commerce
SEE ALSO:
Multi-Factor Authentication (MFA) for Heroku
36
How to Roll Out Multi-Factor Authentication Launch Multi-Factor Authentication
SEE ALSO:
Multi-Factor Authentication in Marketing Cloud Intelligence
SEE ALSO:
Multi-Factor Authentication for MuleSoft Anypoint Platform
SEE ALSO:
Multi-Factor Authentication (MFA) for Quip
Tip: To support your users when MFA goes live, check out the customizable communications and onboarding resources that are
provided in the downloadable MFA Rollout Pack.
Kick off your launch with comms When the big day arrives, make sure that the entire company gets an official communication
marking the MFA launch. Work with your executive sponsor, security team, or CISO to send the
announcement so everyone understands the importance of the initiative.
Have your support team on Even with proactive advance change management activities, some users may have trouble
standby registering verification methods or authenticating with MFA. To help users resolve problems
quickly, make sure your support team is staffed to address MFA-related calls and cases.
Provide direct support for launch Put any special support logistics that you planned for launch day into motion. For example:
day issues • Staff an onsite help center or office hours so users can get in-person assistance.
• Have an SOS process for execs and business users who need priority help.
Make it an event! While the serious stuff is important, why not inject a little fun and excitement into the rollout
by turning your launch day into an event? Here are some ideas:
• Have a raffle with prizes, such as gift cards, a free day off, or lunch with an executive.
37
How to Roll Out Multi-Factor Authentication Manage Phase: Maintain and Enhance Multi-Factor
Authentication
SEE ALSO:
Determine Your MFA Change Management Strategy
38
How to Roll Out Multi-Factor Authentication Measure the Success of Your Multi-Factor Authentication
Rollout
Polls Conduct polls. For example, create an informal Chatter poll or use an online poll app to ask specific
questions.
Surveys Use a survey app to deliver a formal, written survey that measures satisfaction and problem areas.
Focus Groups Schedule focus groups to hold conversations with key users and teams.
Q & A Sessions Host open “question and answer” sessions to hear concerns about any impacts from your MFA
policies.
SEE ALSO:
Get User Feedback on Your MFA Implementation
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products (Consumer Goods Cloud,
Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
39
How to Roll Out Multi-Factor Authentication Measure the Success of Your Multi-Factor Authentication
Rollout
Note: Prior to the Winter ‘21 release, this package was called Two-Factor Authentication Dashboard.
SEE ALSO:
Monitor and Analyze MFA Usage
To access the Lightning Usage App, from the App Launcher ( ), find and open Lightning Usage. From the app, click Login Metrics
under SECURITY on the left side of the page to view the associated data. The Login Metrics page shows login data for password-free,
single sign-on (SSO), and username and password login methods, with and without MFA, for the last 7 days and the last 3 months. For
more MFA and security resources, click any of the links below Multi-Factor Authentication (MFA) and General Security Actions.
• Password-free logins track certificate-based logins, Lightning logins, and passwordless logins.
• Single sign-on logins track Salesforce and third-party logins done via federated SSO, including the SAML and OpenID Connect open
standards.
• Delegated Authentication logins are tracked under the Username and Password login metric.
• Logins with MFA track only Salesforce MFA logins.
40
How to Roll Out Multi-Factor Authentication Support Your MFA Implementation
SEE ALSO:
Identify Your Users and Manage Access
Access Recovery
Your options for assisting users if they forget or lose their usual verification methods depend on your Salesforce product.
Admin-Generated Temporary For some products, admins can generate temporary codes that allow users to log in
Verification Codes without a verification method. Here are the steps for the products that support this option:
• Products built on the Salesforce Platform (including Sales Cloud and Service Cloud)
on page 42
• Marketing Cloud Engagement (powered by Email, Messaging, and Journeys)
• Marketing Cloud Social
41
How to Roll Out Multi-Factor Authentication Support Your MFA Implementation
User-Generated Recovery Codes In some products, users can generate a list of ten single-use recovery codes that they can
keep in a safe place until needed. As part of your onboarding activities, ask your users to
generate recovery codes when they start using MFA. Here are the steps for the products
that have this option:
• Heroku
• Marketing Cloud Intelligence (powered by Datorama)
• Marketing Cloud Social
• Tableau Cloud
Reset MFA For MuleSoft Anypoint Platform, admins can reset MFA for a user who has lost or forgotten
their verification methods. The user is then prompted to register a new method the next
time they log in.
Note: If you’re the only admin for your product and you get locked out, contact Salesforce Customer Support.
SEE ALSO:
Establish an MFA Support Plan
Get Ready to Support Your MFA Implementation
Recover Access for MFA-Enabled Users for Products Built on the Salesforce Platform
Recover Access for MFA-Enabled Users for Products Built on the Salesforce Platform
After MFA is enabled, access problems usually fall into two categories: the connection between a user's MFA verification method and
their Salesforce account isn't working or a user lost, replaced, or forgot their MFA verification method. Use temporary verification codes
to allow users to regain access immediately. When dealing with a broken connection or a missing verification method, revoke the
connection and help the user set up a new method.
Available only in: Products built on the Salesforce Platform, including Sales Cloud, Service Cloud, Analytics Cloud, B2B Commerce Cloud
Marketing Cloud, Marketing Cloud—Account Engagement, Experience Cloud, Platform, Industries products (Consumer Goods Cloud,
Financial Services Cloud, Government Cloud, Health Cloud, Manufacturing Cloud, Philanthropy Cloud), and Salesforce Essentials
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
Here are the recommended recovery steps for the most common MFA-related access issues.
42
How to Roll Out Multi-Factor Authentication Optimize Your Multi-Factor Authentication
Implementation...and More
• Help the user re-register their verification method or set up a new method. See Register Verification Methods for Multi-Factor
Authentication.
• Expire the user's temporary verification code when it's no longer needed. See Expire a Temporary Verification Code.
SEE ALSO:
Establish an MFA Support Plan
Get Ready to Support Your MFA Implementation
43
How to Roll Out Multi-Factor Authentication Multi-Factor Authentication Glossary
Enhance Login Security Implement controls like IP range restrictions for logins.
Consider Alternative Identity Single sign-on (SSO) is a great option for improving your users’ login experience. If your users
Security Solutions regularly access multiple apps in the course of their day, we suggest using an Identity Provider
(IdP) to enhance access security for all your applications, including Salesforce. With a
well-implemented SSO strategy, you can reduce password-related risks, improve authentication
processes, and make it easier for your users to log in to frequently-used applications.
To comply with the MFA requirement, enable MFA for your SSO identity provider.
Apply MFA to API Logins Apply the “least privilege” principle to your API users. It’s a common bad practice to give powerful
admin-level permissions to API users when really all that’s needed is access to relevant objects.
Audit the permissions that API users currently have, and see where you can eliminate unnecessary
privileges.
Consider if your API users also have access to the user interface. If that’s not necessary, limit
access to the API only.
If you use products built on the Salesforce Platform, you can use built-in tools to review your overall Salesforce security settings and find
ways to address any existing risks.
• Use Security Health Check to identify and fix risks in your security settings.
• Use Salesforce Shield to build a new level of trust, transparency, compliance, and governance directly into business-critical apps.
44
How to Roll Out Multi-Factor Authentication Multi-Factor Authentication Glossary
Enable MFA
The action that customer admins take to turn on MFA for their org/tenant/realm. Depending on the Salesforce product, admins can
enable MFA at the org level, for groups of users, or on a user-by-user basis.
Enforce MFA
When Salesforce enforces MFA for a Salesforce product, it becomes a permanent part of the product’s login process. During
enforcement, Salesforce auto-enables MFA for all users who aren’t already using it for direct logins. At the same time, Salesforce
removes the option for all customer users, including admins, to disable MFA.
Least Privilege
The concept that a user should have the fewest number of permissions necessary to do their job — and nothing more. This limits
the risk of a user accessing information or performing an action that shouldn’t be allowed given their role, limits the impact of user
errors, and reduces the damage of compromised credentials in the event of an attack.
Multi-Factor Authentication (MFA)
A security measure used to increase protection for accessing user accounts. MFA requires users to present two or more pieces of
evidence — or factors — during login to prove they’re who they say they are. These pieces of evidence must fall into at least two
different categories (something a user knows, has, or is). A familiar example of MFA at work is the two factors needed to withdraw
money from an ATM. To withdraw funds, you must first present your ATM card (something you have), and then you must enter your
PIN (something you know). See also Verification Method.
Privileged User
Admins and users who have a high level of access to the application or sensitive data.
For products built on the Salesforce Platform, a privileged user is a Salesforce admin (defined as a user with both the Customize
Application and Modify All Data user permissions) or a user with any of these user permissions: Customize Application, Manage
Users, Modify All Data, or View All.
Register for MFA
The process each user goes through to connect a verification method to their account so they can use the method to verify their
identity when logging in. When MFA is enabled, users are required to register a method before they can log in. Users can register
multiple methods so they have backup options in case they lose or forget their primary method.
Security Keys
A physical device that electronically authenticates a person’s identity by storing and retrieving some sort of personal information.
Security keys come in many different form factors, including USB, Lightning, and NFC. Also referred to as a security token or
authentication token.
Strong Verification Method
Verification methods that are more resistant to cyberattacks, such as phishing and man-in-the-middle attacks. These types of methods
help provide high assurance that users accessing Salesforce products are who they say they are. See also Verification Method.
Time-Based One-Time Passwords (TOTP)
Single-use passcodes that can be used as a verification method to authenticate a user to their account. To make use of a TOTP, a
user must use a TOTP authenticator app, which generates the single-use passcodes. When a user is authenticating to their account,
the generator implements an algorithm to create a one-time passcode based on the current time. Once displayed to the user, this
password is valid for a limited time until it expires, at which time it is no longer valid for login and the user must request a new
password.
Two-Factor Authentication (2FA)
A subset of multi-factor authentication (MFA) that requires only two factors to log in. Both 2FA and MFA protect against unauthorized
access by requiring a user to provide multiple factors to verify their identity. The difference between them is the number of factors
that are needed to log in. While some MFA solutions may require three, four, or more combinations of factors, 2FA requires only
two.
45
How to Roll Out Multi-Factor Authentication Multi-Factor Authentication Glossary
Verification Method
A piece of evidence that a user presents when logging in to verify their identity. Also referred to as a factor or authentication factor.
Salesforce products support several types of verification methods, including Salesforce Authenticator, third-party TOTP authenticator
apps (such as Google Authenticator or Authy), physical security keys, and built-in authenticators (such as Windows Hello, TouchID,
or FaceID). See also Strong Verification Method.
46
INDEX
B S
built-in authenticators 12 security keys 11
M T
MFA Rollout Pack 6 third-party authenticator apps 10
Multi-factor authentication 2–3, 6–8, 10–13, 18–19, 21–25, 27– TOTP authenticator apps 10
28, 30–44 Two-factor authentication 2–3, 6–8, 10–13, 18–19, 21–25, 27–
Multi-Factor Authentication Assistant 3 28, 30–44
47