Step-by-Step Guide to Setup MFA in Salesforce

As an advanced authentication approach, multi-factor authentication in Salesforce ensures secure access by verifying users’ identities through the provision of multiple pieces of evidence, typically two or more factors, during the login process. One of the factors entails knowledge-based information like a username and password.

Additional factors encompass possession-based elements like an authenticator app or a security key. By combining these multiple factors, Salesforce MFA enhances security and provides a robust defense against unauthorized access attempts.

Types of multi-factor authentication verification methods in Salesforce:

• Salesforce Authenticator mobile app: With this reliable solution, users can strengthen their login process by using their mobile device in addition to their password to verify logins. By utilizing the Salesforce Authenticator app, users receive a push notification on their mobile device, and can conveniently verify their logins with a simple tap response.

  

• U2F or WebAuthn security keys: You can enable users to utilize a Universal Second Factor (U2F) or WebAuthn (FIDO2) security key when prompted to verify their identity. This allows users to forgo methods like Salesforce Authenticator or one-time passwords delivered via email or SMS. Instead, they can simply insert their security key into the designated port on their computer or mobile device to successfully complete the verification process.
• Third-party time-based one-time passcode (TOTP) authenticator apps: These apps generate random, temporary verification codes based on the appropriate algorithm. The user gets this code on the phone or email and then they need to type it into a specific field while logging in.

Salesforce authenticator setup:

For a visual demonstration of how to use the Salesforce Authenticator app for MFA logins, you can refer to this video guide:

How to Use Salesforce Authenticator for MFA Logins (For Lightning Experience and Salesforce Classic)

Steps to setup MFA : 

Connect Your Salesforce Account to Salesforce Authenticator

If you’re prompted to connect Salesforce Authenticator to your Salesforce account as you log in, follow the onscreen instructions. To connect the app from your personal settings in Salesforce, log in to your account, then follow these steps.

1. Download and install the Salesforce Authenticator app for the type of mobile device you use.
   • For iPhone, get the app from the App Store.
   • For Android devices, get the app from Google Play.
2. Open the Salesforce Authenticator app on your mobile device
   If you’re opening the app for the first time, you will see a tour of the app’s features. Take the tour, or go straight to adding your Salesforce account to the app.
3. In the app, tap Add an Account.
   The app generates a unique two-word phrase.
4. In your Salesforce browser window, enter the phrase in the Two-Word Phrase field.
5. Click Connect.
6. In the Salesforce Authenticator app on your mobile device, you see details about the account you’re connecting. To complete the account connection, tap Connect in the app.

To help keep your account secure, we send you an email notification whenever a new identity verification method is added to your Salesforce account. You get the email whether you add the method or your Salesforce admin adds it on your behalf.

Verify Your Identity with Salesforce Authenticator

Before you can use the app for multi-factor authentication (MFA) logins, connect it to your Salesforce account.

1. Log in to your Salesforce account, or try to access a restricted resource in Salesforce.
   Salesforce Authenticator sends a notification to your mobile device.
2. Respond to the notification by opening Salesforce Authenticator.
   The app shows details of your account activity including your username, the service that you’re trying to access, and information about the device used for the activity, such as your computer. If location services are enabled and available, the app will show your approximate location.
3. If you recognize the details, tap Approve on your mobile device. If you don’t recognize the details, tap Deny.
   If you approve the request, you’re logged in to Salesforce or granted access to the desired resource.
   If you deny a login request, Salesforce Authenticator asks you what to do about the unrecognized activity. To prevent unauthorized access to your account and alert your admin of the potential security breach, tap Block Activity and Flag. This action also creates a log entry in Identity Verification History. To prevent access to your account without flagging, tap Just Block Activity.

Use TOTP Codes When Push Notifications Are Unavailable in Salesforce Authenticator

If you can’t receive push notifications in Salesforce Authenticator, use time-based one-time passwords (TOTP) to verify your identity. The app automatically generates TOTP codes for each of your connected accounts.

1. Login to Salesforce, or try to access a restricted resource in Salesforce.
2. When prompted to check your mobile device, click Having Trouble?
3. Click Use a different verification method.
4. When prompted to enter a verification code, open Salesforce Authenticator to view your account list.
5. Enter the six-digit code for the account that you’re logging in to.
6. Click Verify.

NOTE – TOTP codes are refreshed periodically. Make sure to enter the code before it expires.

Register a U2F or WebAuthn Security Key for Identity Verification

If your Salesforce admin has allowed the use of Universal Second Factor (U2F) and WebAuthn (FIDO2) security keys, register your own security key to connect it to your account. Anytime you’re challenged to verify your identity, including multi-factor authentication (MFA) and device activations, you can insert your security key into the appropriate port on your computer or mobile device to complete verification.

You can register the same security key with multiple service providers and multiple Salesforce orgs and accounts. You can also register one key per account.

1. Have your U2F or WebAuthn security key in hand so that you’re ready to insert it when prompted. If you wait too long, your registration attempt can time out.
2. From your personal settings, enter Advanced User Details in the Quick Find box, and then select Advanced User Details. No results? Enter Personal Information in the Quick Find box, and then select Personal Information.
3. Click Register next to the Security Key (U2F or WebAuthn) field.
   If you don’t see this option, your admin has disallowed the use of security keys.
4. For security purposes, you’re prompted to log in to your account.
5. At the prompt, insert your security key into the appropriate port on your computer or mobile device. If it has a button, touch the button.
   Security keys aren’t  biometric devices, even though some have a button that requires your touch to activate the device.
6. After successful registration, click Continue to dismiss the confirmation message.
   To help keep your account secure, we send you an email notification after successful registration.

Now you’re ready to use this identity verification method. When we prompt you for your security key, insert it, and touch the button if it has a button. The security key generates the required credentials, and the browser passes them on to Salesforce to complete the verification.

NOTE Chrome version 41 or later and Microsoft Edge Chromium are the only browsers that natively support U2F. Most major browsers support WebAuthn.

If you’re without your security key, you can still use other verification methods, such as Salesforce Authenticator or another method that generates a verification code. If you need a temporary alternate method for multi-factor authentication (MFA), your admin can generate a temporary verification code (not available for device activation).

You can cancel your security key registration at any time, and so can an admin.

Back Up Your Connected Accounts in the Salesforce Authenticator Mobile App

You can back up your Connected Accounts in the Salesforce Authenticator mobile app. If you lose, damage, or replace your mobile device, you can restore your Connected Accounts on another mobile device.

The back up and restore feature is available if you have a Salesforce account connected to the app. To use the feature and avoid disruptions, ensure you have at least one Salesforce account connected.

You can enable backups in these ways:

• Tap the Notifications icon () in the upper right corner, then tap Enable Backups.
• If you don’t see a notification, tap the Settings icon () in the upper left corner, then tap Back up accounts.

After you enable backups, complete the backup process by verifying your mobile number and setting a four-digit passcode.

1. When prompted, enter your mobile number and tap Send.
2. Salesforce Authenticator sends you a text message with a link. Tap the link in the text message.
3. Authorize your mobile device to open the Salesforce Authenticator mobile app. This process is different on Android and iOS devices.
   • For Android, if prompted to select which app to open the link with, tap Salesforce Authenticator from the list. If your web browser opens, tap Open Salesforce Authenticator.
   • For iOS, when asked for permission to open Salesforce Authenticator, tap Open to approve.
4. The Salesforce Authenticator app opens, completing the mobile number verification process.
5. Set your four-digit or longer passcode. This passcode lets you restore your accounts on a new device.

To change or update your mobile number, in the Settings menu, tap Verified number. Enter a new mobile number and repeat the verification process.

To change your passcode, in the Settings menu, tap Change backup passcode. Enter a new passcode.