Translations of help content are available through Google Translate. Amadeus cannot guarantee the accuracy or performance of this third-party service.

Activate Multi-Factor Authentication (MFA)

At some point in the future, Salesforce will require the use of Multi-Factor Authentication (MFA). This extra step of security helps confirm that it's really you logging in—and not a nefarious hacker. For those of you who are ready to bump up your security now, we've made it very easy for you to enable this highly recommended feature.

If you have single sign-on, additional considerations must be made. Authentication is required to be done on a secondary device. If you have users without mobile phones, you will have to provide one of the supported devices. Learn more about single sign-on and devices in the Salesforce Multi-Factor Authentication FAQ article.

Before enabling MFA, make sure you notify your users how this will change their login experience, and when you plan to activate it.

Enable MFA

If your org is on R42 (released July 2021) or higher, corporate administrators follow these steps:

To assign to a single user

Go to Setup and start typing "Users" without hitting Enter. When you see it appear, select "Users" and click the name of a user to open the User Detail page. (Don't click Edit - you can't do this in edit mode.)
Point to the Permission Set Assignments link and click Edit Assignments.
Select Enable Multi-Factor Authentication, click Add to move it to Enabled Permission Sets, and then click Save.

MFA-enabled users must have a secondary device that they can access each time they log in. They must download the Salesforce Authenticator app, which is free in the App Store and Google Play.

To assign to multiple users

Go to Setup and start typing "Permission Sets" without hitting Enter. When you see it appear, select it. and click Enable Multi-Factor Authentication.
Click the Manage Assignments button to open the Assigned Users page.
Click the Add Assignments button. Select the users and then click Assign.

Do not apply the MFA permission set to User, Supportor NWSIntegrationUser. These users control technical functionality for Amadeus that you can break if the users are modified. These users do not count against your purchased licenses. For custom integrations, you may see other similarly named users - do not assign MFA to any user with System Administrator or NWS Integration User profiles.

New login experience

After you enable MFA for a user, the next time they log in they will be prompted to connect Salesforce Authenticator.

When they open the app on their mobile device, it displays two words that they type, click Connect, and then they are fully set up with MFA. Yes, it's that easy.

From that point forward, when they log in, the Salesforce Authenticator app sends a push notification on their mobile device, they tap Approve, and then their Home page opens as usual.

If you have users that share a mobile device, you can set up multiple logins on the same device.

MFA and the merge tool for administrators

When MFA is enabled, you no longer have a security token, which is required to log in to the merge tool that administrators use to format merge templates. Instead of adding your security token, you will add the code from the Salesforce Authenticator app.

Download and log into the merge tool with MFA

The app changes your code every 30 seconds. So enter your user name and password, then open the Salesforce Authenticator app, wait for the code to change, and then type it immediately following your password with no spaces. For example, if your password is "myPassword" and your authentication code is "1234567", you'll enter myPassword1234567. Make sure you click Log in before the code changes again.

What if a user forgets their phone?

If the user forgets to bring their phone to work, a corporate administrator can open their user profile in Setup and click Generate by Temporary Verification Code. You can set the code to expire anywhere from 1 hour to 24 hours. Select the length of time they will work their current shift, click Generate Code, and then provide the code to the user.

Disconnect MFA

If the user gets a different phone, open their user profile and click Disconnect by App Registration: Salesforce Authenticator. The next time they log in, the setup routine will repeat and they can connect their new phone.