Salesforce Security Enforcement Week | Salesforce Dictionary

You log into Salesforce on Monday morning, clear your MFA challenge, land on the home page, and open a report you run every week. A step-up authentication prompt fires. You complete it. Ten seconds later, you open a second report and get prompted again. You just authenticated twice in under a minute, and your patience is gone before the coffee is.

That was the lived reality for thousands of Salesforce users in early June. The fix has landed, but a bigger wave of enforcement hits sandboxes tomorrow. Here is where things actually stand, and what you need to do before July 1.

What Went Wrong with Step-Up Auth

Salesforce shipped step-up authentication for report actions on May 27. Sandbox enforcement began June 3, with production enforcement originally planned for June 10. The idea was reasonable: ask for a fresh identity check before someone pulls sensitive data out of reports.

The execution was not reasonable.

Step-up fired on every report view, not just exports. Worse, the login MFA you completed at the start of your session did not count toward the 120-minute step-up timer. So users got prompted to step up within seconds of finishing their login challenge. The community blog "Salesforce is Breaking Salesforce" documented this exact failure: the timer started from zero even though you had just proven your identity (freelikeapuppy.tech).

It also broke automation. Tools like GConnector, which relied on scheduled report exports, simply stopped working because no human was present to clear a step-up prompt.

The backlash was loud and specific. Marc Baizman, a nonprofit-focused Salesforce consultant and evangelist, called the rollout "an absolute sh*tshow" on LinkedIn (BrightHelm Partners). Salesforce MVP Francis Pindar got locked out of his own developer org, and Salesforce could not clearly explain why. David Rabinak, an independent consultant in Europe, lost client trust after IP range enforcement was announced and then reversed, forcing him to walk back guidance he had just delivered to clients.

This is the part consulting partners feel hardest. When a vendor reverses course mid-rollout, the consultant is the one who looks unreliable, even though they relayed the vendor's own published plan.

What Salesforce Fixed

To Salesforce's credit, the company moved. A patch changed the trigger entirely. Step-up authentication now fires when a user exports or prints a report, not when they simply view one (freelikeapuppy.tech, "Our Outcry is Heard"). That single change removes the constant-prompt problem for the vast majority of report consumers, who read on screen and never export.

Salesforce also updated its Help documentation on June 2 to reflect the new behavior, and pushed production enforcement back. The new production date is July 1, staggered across roughly 30 days rather than the original hard cutover on June 10.

So the immediate fire is mostly out. The double-prompt experience is gone for viewers. Automated exports still need a service account strategy or a Transaction Security Policy exemption, but the worst of the friction has been addressed.

Do not relax yet. The next wave is larger, and it starts tomorrow.

What Hits Tomorrow

Two significant changes reach sandboxes on June 22, 2026.

ML-based anomaly detection. Salesforce is layering a continuously trained model on top of step-up authentication. The model learns each user's normal report behavior: which reports they run, when, how often, how many records they pull, and their export patterns. If your behavior deviates from that learned baseline, step-up fires regardless of the 120-minute window. Pull a 500,000-row export at 2 a.m. when you normally read three small reports at 9 a.m., and the system will ask you to prove it is really you. This reaches sandboxes June 22 and production July 13.

Phishing-resistant MFA for privileged users. This is the one to plan for now. Sandbox enforcement is June 22, and production enforcement is July 1. Privileged users will be required to authenticate with phishing-resistant methods, and the weaker methods most teams rely on today will stop qualifying.

Two more dates belong on your calendar. MFA for all internal users, without the waiver permission, reaches sandboxes June 22 and production July 20. The "Waive Multi-Factor Authentication for Exempt Users" permission is being retired.

Who Is "Privileged" and What Qualifies

This is where admins get surprised, so read it carefully.

A user counts as privileged if they have the System Administrator profile or any one of these permissions:

• Modify All Data
• View All Data
• Customize Application
• Author Apex

Notice the breadth. View All Data alone makes a user privileged. Plenty of reporting analysts, integration users, and support leads carry one of these permissions without anyone thinking of them as admins. Audit your permission sets, not just your profiles.

For those users, only phishing-resistant methods will satisfy the requirement after enforcement.

What qualifies:

• FIDO2/WebAuthn security keys (YubiKey, Google Titan)
• Built-in authenticators: Touch ID, Face ID, Windows Hello, and passkeys

What does NOT qualify:

• Salesforce Authenticator push notifications
• TOTP codes from any source, including Salesforce's own app
• SMS one-time passwords
• Email one-time passwords
• Standard app-based MFA

Read that list again. The Salesforce Authenticator push notification, the method Salesforce spent years pushing admins to adopt, does not satisfy phishing-resistant MFA. Neither does any TOTP code. If your privileged users authenticate with a phone push or an authenticator app today, they are not ready (Salesforce Help, Fionta).

A few hard edges to know. After enforcement, the setting locks. Admins cannot disable it, even temporarily, even in an emergency. The "Waive Multi-Factor Authentication for Exempt Users" permission no longer applies, so previously exempt privileged users get blocked too. And MFA verifiers do not carry over after a sandbox refresh, which means every privileged user has to register fresh keys after each refresh.

What to Do Today

You have until July 1 for production phishing-resistant MFA. That is not a lot of runway. Work this checklist now.

1. Build your privileged-user list. Query for the System Administrator profile plus anyone holding Modify All Data, View All Data, Customize Application, or Author Apex, across both profiles and permission sets. This list is almost always longer than admins expect.
2. Procure hardware and confirm built-in support. Order FIDO2 keys (YubiKey or Google Titan) for users who lack a built-in authenticator. Confirm which users already have Touch ID, Face ID, Windows Hello, or working passkeys.
3. Register methods in a sandbox first. Test the enrollment flow against the June 22 sandbox enforcement before production hits. Remember the verifiers will not survive a refresh, so register against a stable sandbox.
4. Plan for break-glass access. Since the setting locks after enforcement, register at least two phishing-resistant methods per privileged user. Losing a single key should not lock out an admin.
5. Fix your automations. Anything that exported reports through a logged-in user session needs a Transaction Security Policy exemption or a dedicated integration approach before step-up export enforcement bites.
6. Brief stakeholders on anomaly detection. Let heavy report users know that unusual export volume or off-hours activity may trigger step-up, and that this is expected behavior, not a bug.

The step-up reversal proved Salesforce will listen when the community pushes back with specifics. It does not change the deadlines in front of you. Start with the privileged-user query today, because every later step depends on knowing exactly who is in scope. Review the Salesforce Ben security roadmap for the full date matrix, then work your list.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.