4 min read

Coming February 2022, Salesforce will require all licenses to employ Multi-Factor Authentication. Here’s what you need to know.

Your database houses the history of your organization. From records that chart the arc of your donor relationships to the archive of annual giving that charts your growth to campaign information tracking what works and what doesn’t for your organization—this data is unique to you and it is one of your most valuable assets.

This data irreplaceable and fundamental to your growth and success. And so it is well worth protecting. This starts with qualifying everyone who has access to your database. Don’t hand it out willy-nilly, but make sure that those who can access your database are trustworthy and need that access.

It is also highly recommended to build up several layers of security. Some of the top recommendations are:

  • Give employees just enough access to enable them to do their jobs
  • Require 10+ character long passwords
  • Set a reasonable screen timeout, where a person will be logged out after a period of inactivity

Although most of these security settings are recommended, none are required.

However, a new security requirement is coming to Salesforce soon, and many organizations have yet to adopt this feature. It’s called Multi-factor Authentication (MFA).


Earlier this year, Salesforce announced that MFA will be required for any user to log into a Salesforce product beginning February 1, 2022. While MFA adds a few seconds when logging in, those extra seconds do add an extra barrier against people trying to wrongly log in under someone else’s credentials.

The way it works is that after entering your username and password, you will be directed to a loading screen that acts as a “waiting room.” You remain in limbo until you verify your identity using an app on your cell phone. (If you don’t have a smartphone, Salesforce offers an alternative method of verification.) As the security mantra goes, logging in safely requires something you know (a username and password) and something you have (a mobile device) to verify that you are the one logging into your account.

This will certainly add a strong layer of security to everyone’s system, helping protect Salesforce users from account hacking. Without MFA, anyone can obtain another person’s credentials and use them to log into Salesforce. With MFA, that intruder can enter the credentials, but then would be unable to successfully log into Salesforce because they would not be able to verify their identity in the second step.


It is important to note that MFA will prevent the practice of multiple people sharing one user account. This practice sounds harmless and may save you from buying extra licenses, but it does expose you to more risk: with sharing licenses, credentials are passed back and forth, creating multiple exposure opportunities for hacker, and makes it harder to track down who all has access. By restricting one user to one set of login credentials and enforcing MFA, Salesforce will curb this practice and reduce risk exposure.

The main challenge brought on by forced implementation of MFA is that many organizations are not yet prepared to make this change. Next year, Salesforce will flip a switch and anyone who is not already set up on MFA will be locked out of Salesforce until MFA is set up. Fortunately, the steps to set up and implement MFA at your organization are manageable with some foresight.


Here are the most important steps that the main Salesforce administrators need to take to set up MFA before Salesforce forces this feature onto all users in early 2022.

  • My Domain setting. To make use of MFA, you must have set up My Domain. This is a custom URL that you request from Salesforce. My Domain is in itself another security feature and helps distinguish your Salesforce instance from that of other organizations. Note that if you have any hard-coded URLs in your system, those may need to be updated to account for your new URL. This step can often be completed in less than an hour, from when you request the domain from Salesforce to when the domain is ready to go. It is a pretty painless step.
  • Create a new MFA permission set. Salesforce makes this part easy, but it is a necessary step. There are also several permission settings regarding MFA that are very similarly worded, so it is important to ensure that you have selected the right one for your new permission set. You can always test this by assigning it to one person. The permission is called “Multi-Factor Authentication for User Interface Logins,” and all you have to do is check the box in your new permission set before assigning it to users. This step can often be completed in less than an hour, though you may want to wait on assigning this permission set to any users who are not part of testing until they know what is expected of them.
  • Communicate to all Salesforce users at your organization about this change and set them up on MFA a few at a time. Each user needs to be aware of the change—that login will require an extra step and that they need to have a verification method ready before they can set up MFA. The simplest verification method is the Salesforce Authenticator app available from all mobile app stores. If the user decides to use the app, they will need to download the app to their phone. This rollout can be very smooth as long as everyone is aware of the part they need to play.

Fortunately, setting up MFA in a Salesforce organization does not require purchasing an upgraded plan. Anyone can set this up without an extra fee. The Salesforce Authenticator app is free to download and use. Alternatively, if your organization already has a third-party authenticator app you use and prefer, this will satisfy the Salesforce requirement as well.

For Salesforce users, you still have over six months to get everyone on your team on board. Let the decision makers know that in the long run, MFA is a non-negotiable if you plan to continue using Salesforce. You still have six months to avoid MFA, but the day is approaching when you can no longer put off this change.

For non-Salesforce users, you should consider looking into a third-party authenticator app for your database and finding out what it would take to set up MFA or other security measures in your system to protect both your future and your past. While MFA is an extra step—for administrators and users—it does provide added security for one of your most valuable assets: your data.

Leave a Reply

Your email address will not be published. Required fields are marked *