The New Salesforce MFA Requirements

Overview of Salesforce MFA

In February of 2022, Salesforce started mandating that all customers enable multi-factor authentication (MFA) for their users regardless of how they access their accounts. Beginning April 8, 2024, Salesforce automatically enabled MFA for all direct logins – but not with organizations that are using Single Sign-On (SSO). Also, starting with the Summer ‘24 release, Salesforce will periodically notify all System Administrators in the organization until the instance is fully compliant with the MFA requirements (See MFA Advisory Timeline for more announcement details).

Enforcing Salesforce MFA

Via SSO or Authentication Scheme

If a Salesforce org uses an Authentication Scheme such as Single Sign-On (SSO) and has disabled direct login access to facilitate user access to Salesforce, by default Salesforce will not require the organization to activate SSO Multi-Factor Authentication (MFA). However, according to Salesforce’s Terms of Service, the SSO solution must incorporate MFA. It is important to note that Salesforce will not automatically activate MFA within the organization’s SSO setup. Instead, System Administrators or Users who have Administrator capability are responsible for ensuring this feature is enabled or activated. Some SSO providers have their own MFA application (e.g. Microsoft or AWS), but the organization can also use Salesforce Authenticator (native MFA of Salesforce) to meet this security requirement.

In scenarios where a Salesforce organization enables Direct UI Login with credentials (Username and Password) alongside SSO, it is important to implement an additional layer of authentication. If the Organization is not enforcing MFA for direct login access to Salesforce, despite having MFA activated for Single Sign On, this leaves a gap for unauthorized access or entry, and does not comply with the Salesforce MFA security policy. It is important that all login methods, whether through Direct Login or SSO, are secured with MFA to ensure enhanced security.

CloudKettle suggests that to maintain access continuity in the event of Single Sign-On server failures or downtimes, it is necessary to allow at least 10% of users, or in the case of having only two, one user with System Administrator access, to log into Salesforce using the direct login interface. Additionally, it is important to note that this allocation of direct login capabilities to 10% or at least one System Administrator user must also comply with MFA= protocols.

Via Salesforce Direct Login

If the organization does not utilize Single Sign-On and solely relies on direct login methods, it is essential to require Multi-Factor Authentication (MFA) for every user login attempt. Implementing MFA for UI login access to Salesforce should not pose significant configuration difficulties. The organization must guarantee that all users adhere to the MFA protocols when accessing the platform. Non-compliance with this security policy puts the organization at risk of possible data breaches or the loss of data/records.

Exemptions in Implementing MFA

Salesforce also considers the Integration User in an organization. The System Administrator should carefully assess whether or not to enable Multi-factor Authentication (MFA) for these users. Integration Users do not have the means to authenticate their login, so MFA should not be mandatory. See this link to provide an exemption to Integration Users from MFA.

Multi-factor authentication (MFA) is currently not mandated for any Sandboxes, although Salesforce has plans to require MFA for all Sandboxes in the future (Refer to the article for specifics on this exclusion.) Although Salesforce does not require organizations to implement MFA for their Sandboxes, CloudKettle advises enabling it throughout all instances within the organization. This recommendation is due to the potential for records or data to be replicated from the organization’s Salesforce Production instance to the Sandboxes.

Key Takeaway

As of April, 2024 Salesforce enabled MFA for all direct logins. If an org uses Single Sign-On, MFA may not be required. BUT the SSO itself should incorporate some form of MFA in order to be compliant with Salesforce’s requirements.

Are you meeting MFA/SSO Salesforce Requirements?


Are you meeting MFA Requirements?

*This post was last updated July, 2024


Enhancing Data Security

A Deep Dive into API Access Control in Salesforce In this new guide from CloudKettle, […]

Get The Guide


Salesforce for Outlook Retirement

Salesforce has introduced several integrations for Outlook over the years. While similarly named, these integrations […]

Get the Guide

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.