Multi-Factor Authentication (MFA) requires users to verify identity with a second factor beyond username/password. Salesforce mandated MFA for all production org logins as of 2022, and now auto-enables it on every new org. It is no longer optional for direct Salesforce logins.
Supported second factors include the Salesforce Authenticator mobile app (push approval, the recommended option), TOTP authenticator apps like Google Authenticator or Authy, U2F security keys (YubiKey), and built-in platform authenticators like Touch ID / Face ID / Windows Hello.
Two implementation paths:
- Direct Salesforce logins — MFA is enforced automatically. Users register a verification method on first login or you can pre-enrol them.
- SSO logins via an external IdP — Salesforce accepts the IdP's MFA assertion. So if Okta/Azure AD/Ping enforces MFA before issuing the SAML assertion, Salesforce trusts that. You don't double-MFA — but the IdP must actually be enforcing it, which is your responsibility to verify.
Exceptions exist for partner and customer community users (they fall under different requirements) and for service accounts using OAuth — the underlying mandate is on interactive human logins.