Activate Multi-Factor Authentication (MFA)
In the near future, Salesforce will require everyone to use Multi-Factor Authentication (MFA). This extra step of security helps confirm that it's really you logging in—and not a nefarious hacker. For those of you who are ready to bump up your security now—we've made it very easy for you to enable this highly recommended feature. Users created after your upgrade to R45 will be MFA enabled by default. If you need more time, simply clear the Enable Multi-Factor Authentication check box on the user details page.
If you have single sign-on, additional considerations must be made. See the Salesforce Multi-Factor Authentication FAQ knowledge article to learn more.
Before enabling MFA, make sure you notify your users how this will change their login experience, and when you plan to activate it.
Enable MFA
If your org is on R42 (released July 2021) or higher, corporate administrators will see the Enable Multi-Factor Authentication check box in the User Details page. Select that option and click Save—that's all it takes.
MFA-enabled users must have a mobile device that they can access each time they log in. They must download the Salesforce Authenticator app, which is free in the App Store and Google Play.
New login experience
After you enable MFA for a user, the next time they log in they will be prompted to connect Salesforce Authenticator.
When they open the app on their mobile device, it displays two words that they type, click Connect, and then they are fully set up with MFA. Yes, it's that easy.
From that point forward, when they log in, the Salesforce Authenticator app sends a push notification on their mobile device, they tap Approve, and then their Home page opens as usual.
If you have users that share a mobile device, you can set up multiple logins on the same device.
Temporary Verification Code
When a user forgets to bring their device to work, a Corporate administrator can provide a temporary code to use in place of their usual method for MFA.
Open their user profile, click Generate to display a Temporary Verification code, and then communicate that code to the user. You are not able to pull up the code again, so make sure you capture it immediately before closing the window.
The same code can be re-used to access the system throughout the day so you'll want to make sure they keep it safe. If they lose it, you'll need to call support to expire the code before you can generate a new one.
Disconnect MFA
If the user gets a different phone, open their User Details page and click Disconnect MFA Device. The next time they log in, the setup routine will repeat and they can connect their new phone.