Preparing for Salesforce Multi-Factor Authentication (MFA)
As of Feb 1st, 2022, Salesforce will be enforcing MFA for all SSO and standard logins to the platform. There are steps that need to be taken to configure MFA on the admin side, as well as on the user side for configuring the multi-factor login process. To help your team prepare, we have compiled the step-by-step instructions that will walk you through this process for your team.
Enabling MFA In Your Org
Step 1: Verify that the session security level is set for multi-factor authentication
First, make sure that the right security level is associated with the multi-factor authentication login method. In most production orgs, this setting is already in place. But if it’s not, it’s important to do this step before you set up an MFA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.
From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
Under Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance category.
Step 2: Create a permission set for multi-factor authentication
Enable MFA for users by assigning the Multi-Factor Authentication for User Interface Logins user permission. You can do this step by editing profiles or by creating a permission set that you assign to specific users.
Log in again as the system administrator of your org.
From Setup, enter Permission in the Quick Find box, then select Permission Sets.
Click New.
Label the permission set “MFA Authorization for User Logins”.
Click Save.
Under System, click System Permissions.
Now you’re on the detail page for the MFA Authorization for User Logins permission set.
Click Edit.
Select Multi-Factor Authentication for User Interface Logins.
Click Save, then click Save again to confirm permission changes.
Step 3: Assign the permission set to your users
When you’re ready to roll out MFA, you can assign the same permission set to all users.
If you’re not on the detail page for your new permission set, navigate back there.
On the detail page of the new permission set, click Manage Assignments.
Click Add Assignments. On the list of users, select the checkbox next to your users’ names. (If you wanted, you could assign up to 1,000 users at a time.)
Click Assign.
The next time your users log in, they will be prompted to provide a verification method as a second factor, in addition to their username and password.
Want to restrict users’ automated verifications to trusted IP addresses only, such as your corporate network? Or prevent them entirely? You can. When logged in as an admin, go to your org's Session Settings and change what’s allowed.
Setup Salesforce Authenticator
PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
Tap the app icon to open Salesforce Authenticator.
DESKTOP: Login with your username and password.
DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to your account.
PHONE: Page through the tour to learn how Salesforce Authenticator works.
PHONE: Enter your mobile number to create a backup of the accounts that are connected to Salesforce Authenticator. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now. (Later on, you can create a passcode if you want to set up a backup to restore your accounts.)
Tap the arrow to add your account to Salesforce Authenticator. The app displays a two-word phrase.
DESKTOP: Enter the phrase in the Two-Word Phrase field.
DESKTOP: Click Connect.
PHONE: Salesforce Authenticator shows details about your account: your username and the name of the service provider—in this case, Salesforce.
PHONE: Tap Connect.
DESKTOP: You are logged in to your Salesforce account!
Automate the Authentication Process
If you let Salesforce Authenticator use your phone’s location services, you can tell the app to verify your activities automatically when you’re in a particular location.
Here is how you set that up.
DESKTOP: Log out of your account and then log in again.
PHONE: At the prompt, select Always approve from this location.
DESKTOP: Log out of your account and log in again. You’re not prompted for approval. Salesforce Authenticator recognizes that you are logging in to your Salesforce account again using the same device and at the same location.
Any time you try to log in from a different location, you can add the location to the Salesforce Authenticator list of trusted locations. To view the list and other account details, you select the information icon which opens the accounts details page.
The account details page lists trusted locations and login activity history. Verified Activities shows how many times Salesforce Authenticator has verified your login to Salesforce. Automations shows how many times Salesforce Authenticator logged you in automatically from a trusted location.
You can clear all trusted locations at once by selecting and then Clear Trusted Locations.
What Happens If You Lose Your Mobile Phone?
If you lose your phone, get a new one, or accidentally delete Salesforce Authenticator, you have a few options. You can either restore your accounts from the backup you made earlier, or you can disconnect your account from Salesforce Authenticator, and then you can re-register the app.
If you enabled account backups in your Salesforce Authenticator app, all you have to do is reinstall Salesforce Authenticator on your new phone. When you open the app, you’ll see the option to restore your accounts from your backup. You enter the passcode you used when you backed up your accounts, and your accounts reappear on your phone.
What if you didn’t back up your accounts? Here’s what you can do.
Log in as an administrator.
From Setup, enter Users in the Quick Find box, then select Users.
Click the user’s name.
On the user detail page, click Disconnect next to App Registration: Salesforce Authenticator.
The next time the user logs in, if they don’t have another verification method connected, they are prompted to connect Salesforce Authenticator again.