Set Up Two-Factor Authentication

Admins enable two-factor authentication through permissions or profile settings. Users add the mobile authenticator app through their own personal settings.

Available in: Both Salesforce Classic and Lightning Experience

Available in: Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

You can customize two-factor authentication in the following ways.

Require it for every login. Set the two-factor login requirement for every time the user logs in to Salesforce. You can also enable this feature for API logins, which includes the use of client applications like the Data Loader. For more information, see Set Two-Factor Authentication Login Requirements or Set Two-Factor Authentication Login Requirements for API Access.
Walk Through It: Secure Logins with Two-Factor Authentication
Use “stepped up” authentication (also known as “high assurance” authentication). Sometimes you don’t need two-factor authentication for every user’s login, but you want to secure certain resources. If the user tries to use a connected app or reports, Salesforce prompts the user to verify identity. For more information, see Session Security Levels.
Use profile policies and session settings. First, in the user profile, set the Session security level required at login field to High Assurance. Then set session security levels in your org’s session settings to apply the policy for particular login methods. In your org’s session settings, check the session security levels to make sure that Two-Factor Authentication is in the High Assurance column.
If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.
Warning
Use login flows. Use the Flow Designer and profiles to build post-authentication requirements as the user logs in, including custom two-factor authentication processes. For more information, see the following examples.

Set Two-Factor Authentication Login Requirements
As a Salesforce administrator, you can require your users to use a mobile authenticator app for two-factor authentication when they log in.
Set Two-Factor Authentication Login Requirements for Single Sign-On, Social Sign-On, and Communities
Use profile policies and session settings to set two-factor authentication login requirements for users. All Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on through a third-party authentication provider, are supported. You can apply the two-factor authentication requirement to users in Salesforce orgs and Communities.
Set Two-Factor Authentication Login Requirements for API Access
Salesforce admins can set the “Two-Factor Authentication for API Logins” permission to allow using a second authentication challenge for API access to Salesforce. API access includes the use of applications like the Data Loader and developer tools for customizing an organization or building client applications.
Connect Salesforce Authenticator (Version 2 or Later) to Your Account for Identity Verification
You can connect version 2 or later of the Salesforce Authenticator mobile app to your account. Use the app whenever Salesforce has to verify your identity. If your administrator requires two-factor authentication for increased security when you log in or access reports or dashboards, use the app to verify your account activity. If you’re required to use two-factor authentication before you have the app connected, you’re prompted to connect it the next time you log in to Salesforce. If you don’t yet have the two-factor authentication requirement, you can still connect the app to your account through your personal settings.
Connect a One-Time Password Generator App or Device for Identity Verification
You can connect a one-time password generator app, such as Salesforce Authenticator or Google Authenticator, to your account. Use a verification code generated by the app, sometimes called a “time-based one-time password,” whenever Salesforce has to verify your identity. If your administrator requires two-factor authentication for increased security when you log in, access connected apps, or access reports or dashboards, use a code from the app. If you’re required to use two-factor authentication before you have an app connected, you’re prompted to connect one the next time you log in to Salesforce. If you don’t yet have the two-factor authentication requirement, you can still connect the app to your account through your personal settings.
Disconnect Salesforce Authenticator (Version 2 or Later) from a User’s Account
Only one Salesforce Authenticator (version 2 or later) mobile app can be connected to a user’s account at a time. If your user loses access to the app by replacing or losing the mobile device, disconnect the app from the user’s account. The next time the user logs in with two-factor authentication, Salesforce prompts the user to connect a new authenticator app.
Disconnect a User’s One-Time Password Generator App
Only one mobile authenticator app that generates verification codes (one-time passwords) can be connected to a user’s account at a time. If your user loses access to the app by replacing or losing the mobile device, disconnect the app from your user’s account. The next time your user logs in with two-factor authentication, Salesforce prompts the user to connect a new authenticator app.

Salesforce Security Guide

Set Up Two-Factor Authentication

See Also: