Newer Version Available

This content describes an older version of this product. View Latest

Enable MFA with Session Security Levels

You can enable multi-factor authentication (MFA) using the security level, either standard or high assurance, assigned to a login method in your Salesforce session settings.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To edit profiles and permission sets: Manage Profiles and Permission Sets
To generate a temporary verification code: Manage Multi-Factor Authentication in User Interface

MFA was formerly called two-factor authentication or 2FA.

Note

To require MFA for users assigned to a particular profile, edit the session security level required at login profile setting. Then set your session security levels to apply the policy for particular login methods.

By default, the session security requirement at login profile setting is None. You can edit a profile’s session settings to change the requirement to high assurance. When profile users with the high assurance requirement use a login method that grants standard-level security instead of high assurance, they’re prompted to verify their identity with MFA. After users authenticate successfully, they’re logged in to Salesforce.

Users with mobile devices can use the Salesforce Authenticator mobile app or a third-party authenticator app as a verification method for MFA. Users can connect the app to their account in the Advanced User Details page of their personal settings. If you set the high assurance requirement on a profile, profile users without the Salesforce Authenticator or another authenticator app are prompted to connect the app to their account. After they connect the app, they’re prompted to use the app to verify their identity.

Users can also use registered U2F security keys as a verification method for MFA.

Experience Cloud site members with the high assurance profile requirement are prompted to connect an authenticator app during login.

When MFA is enabled for a site, admins can’t use the Log In As feature to access the site. See Create Experience Cloud Users.

Note

If users are logging in using an OAuth authorization flow, users can be prompted to verify their identity with MFA twice. The first challenge is on the UI session. The second challenge happens when the access token is bridged into the UI. The high assurance session security level can’t be transferred to the access token.

  1. From Setup, in the Quick Find box, enter Profiles, then select Profiles.
  2. Select a profile.
  3. Scroll to Session Settings, and find the Session security level required at login setting.
  4. Click Edit, and select High Assurance.
  5. Save your changes.
  6. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
  7. In Session Security Levels, make sure that Multi-Factor Authentication is in the High Assurance column.
    If Multi-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.

    Consider moving Activation to the High Assurance column. With this setting, users who verify their identity from an unrecognized browser or app establish a high-assurance session. When Activation is in the High Assurance column, profile users who verify their identity at login aren’t challenged to verify their identity again.

    Note

  8. Save your changes.

Example

You configured Facebook and LinkedIn as authentication providers in your site. Many of your site members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring customers to use MFA when they log in with their Facebook account. You want users who log in with their LinkedIn account to be automatically granted high assurance access and bypass MFA.
  • In the Customer Community User profile, set the session security level required at login to High Assurance.
  • In your session settings, edit the session security levels.
    • Because you’re requiring MFA with Facebook accounts, make sure that Facebook is in the Standard column.
    • Add Multi-Factor Authentication to the High Assurance column. When users log in with their Facebook account, they’re required to provide a verification method in addition to their username and password.
    • Add LinkedIn to the High Assurance column. When users log in with their LinkedIn account, they’re granted High Assurance access without needing to provide a verification method.
Session security levels for org in example.

To initiate identity verification under specific conditions, you can use login flows to change the user’s session security level. Login flows let you build a custom post-authentication process that meets your business requirements.

Note

If users lose or forget the device they usually use for MFA, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.

The high assurance security setting applies to UI logins. OAuth token exchanges aren’t subject to the requirement. OAuth refresh tokens that were obtained before a high assurance security setting is applied to a profile can still be exchanged for valid API access tokens. Tokens are valid even if they were obtained with a standard assurance session. To require users to establish a high assurance session before accessing the API with an external application, revoke existing OAuth tokens for users with that profile. Then assign a high assurance security setting to the profile. Users must log in with MFA and reauthorize the application.

Note