Overview
The multi-factor authentication (MFA) login process requires users to provide an identity verification method in addition to their username and password. The MFA service provided by Salesforce allows the use of strong verification methods only — that is, methods that provide high assurance that the user is who they say they are. Salesforce products support several types of strong verification methods, including authenticator apps, built-in authenticators, and physical security keys. Here’s an overview to help you identify which options work best for your business and your users.
The MFA functionality provided by Salesforce doesn’t allow the use of security questions or one-time passcodes delivered via email, SMS text messages, or phone calls. This restriction is intentional because of the inherent vulnerabilities with these methods. Email credentials can be compromised and mobile phone numbers can be intercepted via SIM swapping attacks or hacked mobile device accounts.
For users who log in with single sign-on (SSO), your SSO provider’s MFA service may support methods that aren’t discussed here. See the Salesforce Multi-Factor Authentication FAQ for guidance on verification methods that satisfy the MFA requirement.
Let’s look at the benefits and considerations for each type of verification method supported by Salesforce products.
| Salesforce
Authenticator | Third-Party
Authenticator Apps | Security Keys | Built-In
Authenticators |
|---|---|---|---|
| A smart and simple mobile app that users can easily connect to their Salesforce accounts. | Apps that generate unique, temporary verification codes based on the OATH TOTP algorithm (specified in RFC 6238). | Physical devices that use public-key cryptography. | Operating system-level authentication that verifies identity with fingerprint, iris, or facial recognition scan, or a PIN or password. |
Form Factor: Mobile app for iOS and Android | Form Factor: Mobile, desktop, and browser extension apps available for multiple operating systems | Form Factor: USB, Lightning, and NFC devices that support the WebAuthn and U2F standards | Form Factor: Available via a device’s built-in authenticator service (for example, Windows Hello, Touch ID, and Face ID) |
User Experience:
| User Experience:
| User Experience:
| User Experience:
|
Considerations:
| Considerations:
| Considerations:
| Considerations:
|
| Cost: Free | Cost: Free and paid options | Cost: Starts around $20 | Cost: Starts around $25 for biometric peripherals, if needed |
| Learn More | Learn More | Learn More | Learn More |
For guidance on how users can set up and log in with MFA verification methods, see the MFA help documentation for your product. For example, for products built on the Salesforce Platform, see Help Users Register MFA Verification Methods for Salesforce Orgs.
Encourage all users — especially Salesforce admins — to register multiple verification methods so they can avoid getting locked out of your org. If someone forgets or loses their primary method, they have other options for logging in.
Security keys and built-in authenticators must be enabled for products built on the Salesforce Platform before these options are available to users. See Configure the MFA Verification Methods Available to Your Users for Salesforce Orgs.
Notes:
‣ Security keys that use
the NFC form factor aren’t supported in products built on the Salesforce
Platform.
‣ WebAuthn-compatible
security keys aren’t supported in non-Chromium versions of the Edge browser.
‣ For U2F security keys,
see Update U2F Security Keys to Support
WebAuthn Authentication to ensure they continue to work.
‣ Built-in
authenticators are supported in products built on the Salesforce Platform,
Heroku, Marketing Cloud Intelligence, MuleSoft Anypoint Platform, and Tableau
Cloud.
