Identity Verification (the modern name for MFA configuration) controls when and how users prove they are who they say they are — TOTP authenticator apps, security keys, SMS, email codes. Since 2022, MFA is contractually required for Salesforce admin and high-privilege users.
- Open Setup → Identity Verification
Setup gear → Quick Find: Identity Verification → Identity Verification.
- Review verification methods enabled
Salesforce Authenticator (push-notification app) / TOTP (Authy, Google Authenticator) / U2F Security Keys / SMS / Email. Pick which to enable.
- Set when to challenge
Always (every login) / when login risk is detected (default) / never (not allowed for admin profiles).
- Open Setup → Multi-Factor Authentication Assistant
Salesforce-provided wizard to roll out MFA per profile. Check progress and identify users not yet enrolled.
- Tick Require MFA for Logins for relevant profiles
Setup → Profile → System & User Permissions → tick Multi-Factor Authentication for User Interface Logins. Users on these profiles must enroll a verification method.
- Communicate to users
First login after this change prompts users to enroll. Provide enrollment instructions and a help-channel for confused users.
Push notifications. The most user-friendly method.
Standards-based time-based one-time passwords. Works with any TOTP app.
Hardware tokens (YubiKey, etc.). Strongest, most user-resistant.
Being deprecated as a method due to SIM-swap risk. Salesforce recommends alternatives.
Fallback method. Less secure than TOTP / hardware.
- MFA is contractually required for Salesforce admins and high-privilege users since February 2022. Non-compliance can affect your contract. Don't disable MFA on admin profiles.
- SMS as a verification method is being deprecated. SIM-swap attacks are a real threat — Salesforce recommends moving users to TOTP or hardware keys.
- First-time enrollment can confuse users. Pair the rollout with clear comms — "On your next login you'll be asked to set up MFA, here's how."