Use this flow to set which methods your users can register and how device activation challenges behave. Change one section at a time and verify a real login before moving on. Settings here apply org-wide to the relevant audience, so there is no undo by Profile.
- Open the page
From Setup, type Identity in the Quick Find box and select Identity Verification. Confirm you are looking at the right org and note the current state of each section before editing.
- Choose the allowed methods
In the method sections, enable the verification methods you want available. Favor built-in authenticators and security keys for internal users because Salesforce treats them as phishing-resistant. Keep email and SMS as device-activation fallbacks rather than primary factors.
- Set external user options separately
Scroll to the Experience Cloud site sections and decide method availability for external users on their own terms. Enable SMS only if your audience is in a supported country and you accept that it is weaker than an authenticator.
- Require a verified email and save
Turn on the option to require a verified email address so one-time passcodes always have a destination, then save. Sign in from a fresh browser session to confirm the challenge behaves as intended.
The set of MFA-grade methods you let users register: built-in authenticators, security keys, Salesforce Authenticator, and third-party authenticator apps.
Allows a one-time passcode to be sent to the user's verified email during a device activation challenge. Convenient but weaker than an authenticator.
Sends a passcode by text, aimed mainly at external Experience Cloud users and limited to supported countries.
Governs the format and handling of email and SMS passcodes used to clear challenges.
Ensures every user has a confirmed email on file so email-based verification can actually reach them.
- The page is org-wide, not per-Profile. A change lands on the whole relevant audience at their next unfamiliar login.
- Email and SMS are not valid standalone MFA factors under Salesforce's MFA requirement. Use them for device activation, not as your only second factor.
- Enabling a method here does nothing until users enroll it in Personal Settings. Communicate the rollout before tightening.
- Device activation resets when a user switches browsers or clears cookies, so expect a fresh challenge after a device wipe.