Activate Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is an authentication process that requires an additional verification method from users to access Salesforce and Delphi. This process provides an extra level of security to protect your organization. This feature is available with version R42 and higher.

If you have single sign-on enabled, users still need a secondary device to complete the authentication. If you have users without mobile phones, you need to supply one of the supported devices. Learn more about single sign-on and devices in the Salesforce Multi-Factor Authentication FAQ article.

Review all the following information before you enable MFA.

To enable MFA

To assign to a single user

  1. Go to Setup and enter 'Users.' When you see it display, select it and click the name of a user. The User Detail page displays.

  2. Hover over Permission Set Assignments and click Edit Assignments. The Permission Set Assignments page displays.

  3. Select Enable Multi-Factor Authentication, click Add to move it to Enabled Permission Sets, and then click Save.

    MFA-enabled users need to have a secondary device they can access each time they log in. They also need to download the Salesforce Authenticator app, which is free in the App Store and Google Play.

To assign to multiple users

  1. Go to Setup and enter 'Permission Sets.' When you see it display, select it. The Permission Sets page displays.

  2. From the list of permission sets, click Enable Multi-Factor Authentication. The Permission Set Detail page displays.

  3. Click Manage Assignments. The Current Assignments page displays.

  4. Click Add Assignment. The Select Users to Assign page displays.

  5. Select the users to assign and then click Next. The list of selected users displays.

    Do not apply the MFA permission set to System Administrator, Support User, or NWSIntegrationUser. These users control technical functions for Amadeus. For custom integrations, you might see other similarly named users. These users do not count toward your purchased licenses.

  6. Select a code expiration option and click Assign.

To log in with MFA

After you enable MFA for users, the next time they log in they are prompted to connect with Salesforce Authenticator. When they open the Authenticator app on a mobile device, it displays two security words. Users need to enter the correct words in Salesforce, and click Connect. That completes the MFA setup process.

Multiple Authenticator accounts can be created on the same mobile device, if needed.

With the process complete, when users log in, the Salesforce Authenticator app sends a push notification to the mobile device. When users tap Approve, the Delphi Home page displays as usual.

To use the merge tool with MFA

Administrators that have MFA enabled no longer use a security token to log in to the merge tool. Instead of adding the security token, administrators need to add the code from the Salesforce Authenticator app. The code is added to the end of the Salesforce password with no spaces. For example, if the password is 'myPassword' and the authentication code is '1234567', then enter 'myPassword1234567.'

The app changes the code every 30 seconds. A best practice is to wait for a code change before you enter the code in the merge tool password field. Make sure to click Log in before the code changes again.

To log in without a mobile device

Under certain circumstances, a corporate administrator can allow a user to log in without the mobile device. To do so, the administrator can open a user's profile in Setup and click Generate by Temporary Verification Code. The code can be set to expire anywhere from 1 hour to 24 hours. After all selections are made, the admin can click Generate Code and give the code to the user.

To disconnect MFA

When users get new mobile devices, the MFA link to the old device needs to be disconnected. Administrators need to open the users' profiles and click Disconnect by App Registration: Salesforce Authenticator. The next time the users log in, they are prompted to connect the new device with Salesforce Authenticator.