Multi-Factor

Authentication Quick
Guide for Admins

How to get ready for MFA and roll it out

to Salesforce users
Table of Contents
CHAPTER 1
The Time for Multi-Factor Authentication is Now!
4 What Is MFA and Why Is It Important? 17 The User Experience When MFA is Live
5 How Multi-Factor Authentication Works 18 ➣ Salesforce Authenticator: How Users Register and Log In

6 MFA for Salesforce 20 ➣ Third-Party Authenticator Apps: How Users Register and Log In

7 MFA Verification Methods for Salesforce 21 ➣ Security Keys: How Users Register and Log In

8 ➣ Salesforce Authenticator

9 ➣ Third-Party Authenticator Apps

CHAPTER 3
10 ➣ Security Keys
Ensure Successful Adoption of MFA
11 Choose Verification Methods for Your Implementation 23 Measure the Success of Your Rollout
24 Support Users and Ongoing Operations
CHAPTER 2
Implement MFA for Salesforce CHAPTER 4
13 The Recommended Path to MFA Learn More
14 Plan Your Rollout 26 Additional Resources
15 When You’re Ready to Go Live
16 Enable MFA for Your Users

Version 2020.10
© Copyright 2000-2020 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,
as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.
1 The Time for Multi-Factor Authentication is Now!
See how MFA is an effective way to safeguard access to Salesforce accounts
What Is MFA and Why Is It Important?
As the security landscape evolves and threats that compromise
user credentials grow more common, it’s important to Multi-factor authentication is one
implement strong security measures to protect your business of the easiest, most effective ways
to help prevent unauthorized
and customers. account access and safeguard your
Salesforce data.
Usernames and passwords alone don’t provide sufficient
safeguards against unauthorized account access. MFA for Salesforce is available at
no extra cost!
Multi-factor authentication (MFA) adds an
extra layer of protection against threats
like phishing attacks, credential stuffing,
and account takeovers.
How Multi-Factor Authentication Works
MFA requires users to prove they’re who they say they
are by providing two or more pieces of evidence – or
factors – when they log in. Something
you know Something
One factor is something the user knows, such as you have
their username and password combination. Other
factors are verification methods that the user has, USERNAME

such as an authenticator app or security key. **************

Login
By tying user access to multiple, different types
of factors, it’s much harder for a bad actor to
gain entry to your Salesforce environment. Even
if a user’s password is stolen, the odds are very
low that an attacker can guess or impersonate a
factor that a user physically possesses.
MFA for Salesforce
MFA is currently available for these Salesforce products.
Salesforce offers simple, innovative MFA solutions that
provide a balance between strong security and user
convenience.
Because your business requirements and users’ needs
are diverse, you can pick and choose between different
types of verification methods, including mobile apps
and hardware devices.
And to help manage your MFA implementation, we
provide a variety of tools and resources, including:
• Reports and dashboards for monitoring usage
Products built on the Salesforce Platform:
Sales Cloud, Service Cloud, Analytics Cloud,
B2B Commerce, Experience Cloud, Industries
products (Consumer Goods Cloud, Financial
Services Cloud, Government Cloud, Health
Cloud, Manufacturing Cloud, Philanthropy
Cloud), Marketing Cloud⎯Audience Studio,
Marketing Cloud⎯Pardot, Platform, Salesforce
Essentials, and Salesforce Field Service
B2C Commerce Cloud

• Temporary verification codes that give users access if Marketing Cloud⎯Datorama

they’ve lost or forgotten their verification method
Marketing Cloud⎯Email Studio, Mobile Studio,
and Journey Builder

Our goal is to deliver MFA support for all Salesforce

products by mid-2021.
MFA Verification Methods for Salesforce
MFA adds an extra authentication step to your Salesforce login process.
1. The user enters their username and password, as usual.
2. Then the user is prompted to provide a verification method.
X X
Salesforce requires users to provide a verification method that’s in Email, SMS text messages, and phone
their possession. Depending on your Salesforce product, you can allow calls aren’t allowed as MFA verification
any or all of these methods. methods because email credentials are
more easily compromised, and text
messages and phone calls can be
intercepted.

It’s a lot harder for bad actors to get

control of an actual mobile device or
physical security key than it is to
Salesforce Third-Party TOTP U2F or WebAuthn infiltrate an email account or hack a
Authenticator App Authenticator App Security Key cell phone number.

Fast, free authentication Such as: Such as:

Google Authenticator Yubico’s YubiKey
Microsoft Authenticator Google’s Titan Security Key
Authy
Salesforce Authenticator: Fast, Free, Frictionless MFA
The Salesforce Authenticator mobile app makes MFA easy by integrating into your
login process. It’s simple for users to install and connect to their Salesforce accounts. All Salesforce products support the use of
Salesforce Authenticator as an MFA
When a user logs in, they get a push notification on their mobile device. The user taps verification method.*
the notification to open Salesforce Authenticator and sees the following information:
• The action that needs to be approved
• Which user is requesting the action
• Which service is requesting the action
• What device the user is using
• The location from which the request is coming

With this information, the user can quickly and confidently approve or deny the
authorization request. They can also automate the extra authentication step when
working from a trusted location.

If the user’s mobile device doesn’t have connectivity, they can still log in using six-digit
TOTP codes generated by Salesforce Authenticator.*

Marketing Cloud⎯Datorama customers: Push notifications aren’t supported yet. You can use
Salesforce Authenticator as a TOTP generator only.
Third-Party Authenticator Apps
Salesforce supports the use of third-party authenticator apps that generate temporary
codes based on the OATH time-based one-time password (TOTP) algorithm (RFC 6238). All Salesforce products support the use of
TOTP authenticator apps as an MFA
To log in using this type of verification method, the user gets a code from a TOTP verification method.
authenticator app, then enters that code during the Salesforce login process. There are many apps available, including
free versions. Options include:
Behind the Scenes • Google Authenticator
TOTP authenticator apps generate temporary codes on the basis of a secret key • Microsoft Authenticator
(known only to the user and the service, such as Salesforce) and the current time. • Authy
A code is valid for 30 seconds and then a new one is generated.

TOTP authenticator apps can generate codes even if the user’s phone doesn’t have
a data or internet connection.

➤ TIP: If users have already installed a TOTP app for personal or business use,
they can set up the same app for Salesforce logins.
Security Keys
Security keys are small physical devices that are easy to use because there’s nothing
to install and no codes to enter. This is a great option if users don’t have a mobile
device or if cell phones aren’t allowed on the premises.

Security keys make MFA logins fast. A user simply:

1. Connects their key to the computer
2. Presses the key’s button to verify their identity
Security key options include Yubico’s
YubiKey and Google’s Titan Security Key
Behind the Scenes
Depending on your Salesforce product, we support security keys that are Supported form factors:
compatible with FIDO U2F and FIDO2 WebAuthn. Both standards use strong USB-A, USB-C, Lightning, NFC*
public-key cryptography to protect users from man-in-the-middle attacks and
Supported browsers for WebAuthn ** keys:
malware. To learn more about what’s happening behind the scenes with security
Chrome, Edge, Firefox, Safari
keys, check out the FIDO U2F site or the WebAuthn Guide.
Supported browsers for U2F keys:
Security keys require a supported browser to act as an intermediary between the Chrome, version 41 or later
key and Salesforce.
Products that support security keys:
• Products built on the Salesforce Platform*

• B2C Commerce Cloud *

• Marketing Cloud⎯Email, Mobile, & Journeys

*** NFC devices aren’t supported in products built on the Salesforce Platform.
** WebAuthn isn’t supported in products built on the Salesforce Platform.
** WebAuthn-compatible keys aren’t supported in non-Chromium versions of the Edge browser.
Choose Verification Methods for Your Implementation
Salesforce Authenticator Third-Party Authenticator Apps Security Keys

A smart and simple mobile app that users can Apps generate unique, temporary verification Physical device that uses public-key
easily connect to their Salesforce accounts. codes based on the OATH TOTP algorithm. cryptography.

Form Factor: Form Factor: Form Factor:

Mobile app for iOS and Android Apps available for multiple operating systems USB, Lightning, and NFC* devices that support
the U2F or WebAuthn** standards

User Experience: User Experience: User Experience:

• Delivers push notifications to users’ phones for • Wide variety of apps to choose from • Fast and easy to use
fast access • Connectivity isn’t required • Recognizes and denies fraudulent requests
• See real-time details to confirm request validity • Connectivity isn’t required
• Automate authentication from trusted locations • No batteries needed
• Deny fraudulent requests with a tap
• Generates TOTP codes if connectivity isn’t
available

Considerations: Considerations: Considerations:

• Requires a mobile device • Requires a mobile device • Requires browser support (limited for U2F)
• Typing errors possible when manually entering • Users could leave key unattended or plugged in
codes all the time
• Invalid codes possible if mobile device clock • Operational overhead for purchasing, stocking,
gets out of sync with Salesforce and distributing devices to users

Cost: Free Cost: Free and paid options Cost: Starts around $20

*** NFC devices aren’t supported in products built on the Salesforce Platform.
** WebAuthn isn’t supported in products built on the Salesforce Platform. WebAuthn-compatible keys aren’t supported in non-Chromium versions of the Edge browser.
2 Implement MFA for Salesforce
Get ready for MFA, then roll it out to your users
The Recommended Path to MFA
Get Ready
Evaluate which verification methods meet
your business and user requirements.
Inventory users, roles, and permissions to
identify your privileged users (they’re your
top priority) and to determine the level of
effort for your project.
Plan rollout, change management,
implementation, testing, and user support
strategies.
Roll Out
Kick off change management activities
to engage and prepare users for MFA.
Work with your support team to
establish an access recovery process and
train them to handle MFA issues.
Distribute verification methods to users.
Enable MFA for user interface logins.
Help users register and log in with a
verification method.
Manage
Collect feedback and monitor usage
metrics to ensure users are adopting
MFA.
Support ongoing operations and assist
users with authentication issues.
Optimize your overall security strategy.
Plan Your Rollout
To ensure a successful rollout, cover these criteria in your project plan.
Rollout Strategy
• Determine who is required to
use MFA. Admins and other
privileged users are your top
priority.
• Decide if you’ll roll out MFA to
everyone at the same time, or
go live in phases to different
groups over time.
➤ TIP: We recommend starting
with a pilot group to test the
rollout process and fine-tune
things.
Change
Management
• Communicate upcoming
changes to users.
• Build awareness and get user
buy-in with campaigns and
promotional materials.
• Train users on MFA concepts
and how to obtain, register,
and use verification methods
to log in with MFA.
• Create registration and
troubleshooting materials for
your launch day.
Support Team
• Establish policies and
processes for ongoing
operations, including helping
users with lost or forgotten
verification methods.
• Train your support team on
setup, troubleshooting, and
access recovery steps.
• Update your employee
onboarding procedures so
new hires get MFA from the
start.
When You’re Ready to Go Live
When you turn on MFA, each user is responsible for setting up their own verification methods. Here’s the
recommended approach for your launch.

Kick things off by distributing verification methods to

users, along with instructions for the registration process.

Admin
Encourage users to register at least one method ahead of
time so they avoid delays logging in after MFA is live.

Then turn on MFA for user interface logins by enabling it

for everyone or just the desired users.

Each user must register a verification method to connect

it to their Salesforce account. Users are automatically

Users
invited to do so the next time they log in (unless they
registered a method before MFA was enabled).

For all subsequent logins, users are required to supply

the method in addition to their username and password.
Enable MFA for Your Users
The way you enable MFA is determined by your Salesforce product. ➤ TIP: We recommend distributing verification
methods before you enable MFA so users can
Here’s an overview for each product that currently supports MFA. get a head start registering a method.

B2C Commerce Cloud Marketing Cloud⎯Datorama

1. Make sure you’ve migrated Business Manager users to Account In August 2020, MFA was enabled for all Datorama customers. If
Manager via Unified Authentication. you disabled MFA for your account, it’s easy to turn it back on.
2. Verify that the desired set of verification methods are enabled. 1. In Account Settings, select Require Multi-Factor
3. Open Account Manager’s Organization settings. Authentication.
4. In the MFA Settings section, select MFA enabled for all users in 2. Click Save.
the organization. Or select specific roles to roll out in phases. See Multi-Factor Authentication (MFA) in the Datorama Success
See Enabling MFA for Business Manager Users for full details. Center for full details.

Marketing Cloud⎯Email, Mobile, & Journeys Products Built on the Salesforce Platform

1. Verify that the desired set of verification methods are enabled 1. If you’re using security keys, enable this option for your org.
for your account. 2. Assign the Multi-Factor Authentication for User Interface
2. In Setup > Security > Multi-Factor Authentication, select Enable Logins user permission via a permission set or directly in
Multi-Factor Authentication. custom profiles.
See Transition Your Tenant from IDV to MFA in Marketing Cloud in See Set Multi-Factor Authentication Login Requirements in
Salesforce Help for full details. Salesforce Help for full details.
The User Experience When MFA is Live
When MFA is enabled for user interface logins, each user
must have at least one registered verification method before
they can log in to Salesforce. The registration process
connects a method to the user’s Salesforce account.

Users can register methods at any time. If a user doesn’t

have a method ready by the time MFA is enabled, they’re
automatically prompted to register one the next time they
log in. On-screen prompts guide users through the process.

Registration and login steps vary a little for each verification method.
Let’s take a closer look.
• Salesforce Authenticator
• Third-Party Authenticator Apps
• Security Keys
Salesforce Authenticator: How Users Register and Log In
To register and connect the app:
1. On a mobile device, download and install the app from the 4. Open Salesforce Authenticator and tap Add an Account. The
Apple Store or Google Play. app displays a two-word phrase.

2. On your Salesforce product’s login screen, enter a username 5. On the Connect Salesforce Authenticator screen, enter the
and password. phrase in the Two-Word phrase field, then click Connect.

3. For products built on the Salesforce Platform: The Salesforce 6. In Salesforce Authenticator, verify that the request details are
Authenticator screen displays by default. correct, then tap Connect.
For B2C Commerce Cloud OR Marketing Cloud⎯Email,
Mobile, & Journeys: Select Salesforce Authenticator from the
list of verification methods.

➤ TIP: To use Salesforce

Authenticator with Marketing
Cloud⎯Datorama, follow the
steps for registering a third-
party authenticator app.
Salesforce Authenticator: How Users Register and Log In continued
To log in using the app:
1. On your Salesforce product’s login screen, enter a username and password, as usual.
2. On the mobile device, respond to the push notification to open Salesforce Authenticator.

3. In Salesforce Authenticator, verify that the request details are correct, then tap Approve
to finish logging in to Salesforce.
Third-Party Authenticator Apps: How Users Register and Log In
To register and connect a TOTP authenticator app: To log in using a TOTP authenticator app:
1. On a mobile device, download and install an authenticator app. 1. On your Salesforce product’s login screen, enter a username and
password, as usual.
2. On your Salesforce product’s login screen, enter a username and
password. 2. Open the authenticator app.
3. For products built on the Salesforce Platform: Click Choose Another 3. On the identity verification screen, enter the code generated by the
Verification Method in the bottom left corner of the Connect Salesforce authenticator app in the designated field, then click the button to
Authenticator screen, then select One-Time Password Generator. verify and finish logging in to Salesforce.
For B2C Commerce Cloud OR Marketing Cloud⎯Email, Mobile, &
Journeys: Select One-Time Password Generator.
For Marketing Cloud⎯Datorama: The authenticator app registration
screen displays automatically.
4. Open the authenticator app and select to add a new account.
5. Use the authenticator app to scan the QR barcode that’s displayed on
the app connection screen.
If scanning the QR barcode isn’t an option, manually generate your
security key. Then enter it in the authenticator app.
6. On the app connection screen, enter the code generated by the
authenticator app, then click the button to connect and log in.
 Security Keys: How Users Register and Log In
To register and connect a security key: To log in using an app:
1. In a supported browser, go to your Salesforce product’s login screen 1. In a supported browser, go to your Salesforce product’s login screen
and enter a username and password. and enter a username and password, as usual.

2. For products built on the Salesforce Platform: Click Choose Another
Verification Method in the bottom left corner of the Connect
Salesforce Authenticator screen, then select Security Key.
For B2C Commerce Cloud OR Marketing Cloud⎯Email, Mobile, &
Journeys: Select Security Key from the list of verification methods.
2. When the Verify Your Identity screen displays, connect the security
key, then click Verify.
3. When prompted by the browser, press the button on the security key
to finish logging in.

3. Connect the security key to the computer, then click Register.

4. When prompted by the browser, press the button on the security key to
finish logging in.

* Marketing Cloud⎯Datorama customers: Security keys aren’t supported at this time.

3 Ensure Successful Adoption of MFA
Manage your users’ experience with MFA
Measure the Success of Your Rollout
Ensure your users are adopting MFA and getting the support they need.

Collect and evaluate user feedback

• Check in with users periodically to understand how they feel about the new MFA login
requirement and see if there are any pain points that you can address.
• To gather feedback, conduct online polls, use a survey app, or schedule focus group
sessions.

Monitor MFA usage

• Review help desk tickets and logs to see if there are recurring
problems with registering verification methods or logging in.
• Analyze usage patterns, including any changes to the volume
of daily or monthly Salesforce logins and who’s using which
methods.
• Look for spikes and trends related to issuing temporary
verification codes.
• Depending on your Salesforce product, take advantage of
built-in tools to help monitor MFA adoption.
Support Users and Ongoing Operations
Work with your support team to handle operational issues and the day-to-day needs of
your users. Likely considerations include:

• Troubleshooting and resolving login and

authentication problems, including account
lockouts.
• Helping users recover access if they’ve lost or
forgotten their verification methods.
• Enabling MFA for new employees as part of your
new hire onboarding process.
• Stocking and distributing security keys, if you’re
supporting this type of verification method.
Recover Access With Temporary Verification Codes
Generate temporary codes for users who can’t access their usual
MFA verification methods. A code can be used multiple times until
it expires.
➤ NOTE: Temporary codes aren’t available yet for
B2C Commerce Cloud or Marketing Cloud⎯Datorama.
4 Learn More
Be an MFA Trailblazer — Check out these additional resources
Additional Resources

Join the MFA discussion in the MFA – Getting Started Trailblazer Community!

For Products built on the Salesforce Platform

More Information about MFA
• Salesforce MFA FAQ
• How to Roll Out Multi-Factor Authentication (help)
• Introduction to Salesforce Authenticator (video)
• Launch Multi-Factor Authentication (video)
• Set Up Multi-Factor Authentication (help)
• Salesforce Security Guide
For B2C Commerce Cloud
• B2C Commerce MFA and Unified Authentication for Business
Manager (video)
• Enabling MFA for Business Manager Users: A Step-By-Step Guide

Learn About MFA Using Trailhead For Marketing Cloud⎯Datorama

User Authentication • MFA Knowledge Article
• MFA FAQ
Identity Basics
For Marketing Cloud⎯Email, Mobile, & Journeys
Security Basics • MFA for Marketing Cloud (help)
• MFA for Marketing Cloud FAQ