Newer Version Available

This content describes an older version of this product. View Latest

Set Multi-Factor Authentication Login Requirements

Set multi-factor authentication (MFA) login requirements using profile policies and session settings. You can apply MFA requirements to all Salesforce user interface authentication methods. These methods include username and password, delegated authentication, SAML single sign-on (SSO), and social sign-on (SSO using an external authentication provider). You can also enable MFA requirements for Salesforce orgs and communities.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To edit profiles and permission sets: Manage Profiles and Permission Sets
To generate a temporary verification code: Manage Multi-Factor Authentication in User Interface

Multi-factor authentication was formerly called two-factor authentication or 2FA.

Note

Use one of these methods to set MFA login requirements.

User Permission

Assign the Multi-Factor Authentication for User Interface Logins permission to a cloned user profile or permission set. Users with the Multi-Factor Authentication for User Interface Logins permission must provide a second factor via a verification method when they log in to the Salesforce org or community. They can use any supported verification method, such as a mobile authenticator app or a Universal Second Factor (U2F) security key.

Profile-based Policy

To require multi-factor authentication for users assigned to a particular profile, edit the session security level required at login profile setting. Then set your org’s session security levels to apply the policy for particular login methods.

By default, the session security requirement at login profile setting is None. You can edit a profile’s session settings to change the requirement to High Assurance. When profile users with the High Assurance requirement use a login method that grants standard-level security instead of high assurance, they’re prompted to verify their identity with MFA. After users authenticate successfully, they’re logged in to Salesforce.

You can edit the security level, either standard or high assurance, assigned to a login method in your org’s session settings.

Users with mobile devices can use the Salesforce Authenticator mobile app or a third-party authenticator app as a verification method for MFA. Internal users can connect the app to their account in the Advanced User Details page of their personal settings. If you set the High Assurance requirement on a profile, profile users without the Salesforce Authenticator or another authenticator app are prompted to connect the app to their account. After they connect the app, they’re prompted to use the app to verify their identity.

Users can also use registered U2F security keys as a verification method for MFA.

Community members with the High Assurance profile requirement are prompted to connect an authenticator app during login.

When multi-factor authentication is enabled for a community, admins can’t use the Log In As feature to access the community. See Create Community Users.

Note

If users are logging in using an OAuth authorization flow, users can be prompted to verify their identity with multi-factor authentication twice. The first challenge is on the UI session. The second challenge happens when the access token is bridged into the UI. The High Assurance session security level can’t be transferred to the access token.

  1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
  2. Select a profile.
  3. Scroll to Session Settings, and find the Session security level required at login setting.
  4. Click Edit, and select High Assurance.
  5. Click Save.
  6. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  7. In Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance column.
    If Multi-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.

    Consider moving Activation to the High Assurance column. With this setting, users who verify their identity from an unrecognized browser or app establish a high-assurance session. When Activation is in the High Assurance column, profile users who verify their identity at login aren’t challenged to verify their identity again.

    Note

  8. Save your changes.

Example

You configured Facebook and LinkedIn as authentication providers in your community. Many of your community members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring customers to use multi-factor authentication when they log in with their Facebook account. You want users who log in with their LinkedIn account to be automatically granted High Assurance access and bypass MFA.
  • In the Customer Community User profile, set the session security level required at login to High Assurance.
  • In your org’s session settings, edit the session security levels.
    • Because you are requiring MFA with Facebook accounts, make sure that Facebook is in the Standard column.
    • Add Multi-Factor Authentication to the High Assurance column. When users log in with their Facebook account, they are required to provide a verification method in addition to their username and password.
    • Add LinkedIn to the High Assurance column. When users log in with their LinkedIn account, they are granted High Assurance access without needing to provide a verification method.
Session security levels for org in example.

To initiate identity verification under specific conditions, you can use login flows to change the user’s session security level. Login flows let you build a custom post-authentication process that meets your business requirements.

Note

If users lose or forget the device they usually use for MFA, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.

The High Assurance profile requirement applies to user interface logins. OAuth token exchanges aren’t subject to the requirement. OAuth refresh tokens that were obtained before a High Assurance requirement is set for a profile can still be exchanged for valid API access tokens. Tokens are valid even if they were obtained with a standard-assurance session. To require users to establish a high-assurance session before accessing the API with an external application, revoke existing OAuth tokens for users with that profile. Then set a High Assurance requirement for the profile. Users must log in with MFA and reauthorize the application.

Note