Skip to main content Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.
Featured group

* MFA - Getting Started *

Welcome! This group is dedicated to helping you protect Salesforce account access with Multi-Factor Authentication (also known as MFA, and formerly called Two-Factor Authentication or 2FA). Join the conversation here to ask questions, get answers, learn best practices, and share your experiences. --------------------------------------- This group is maintained and moderated by Salesforce employees. The content received in this group falls under the official Forward-Looking Statement: http://investor.salesforce.com/about-us/investor/forward-looking-statements/default.aspx

We have SSO set up in Salesforce via O365/Azure. I have a single user who says he must authenticate daily but only when logging into Salesforce and not any MS application. We all use the Microsoft Authenticator app.  

 

What could cause this for only one user? I don't have admin access to O365/Azure. I am a salesforce admin. The IT department has not been able to help this guy, but I am trying to. 

 

Thanks!

2 answers
  1. Feb 21, 1:39 PM

    Thank you for responding. No, he shares a Profile with many users. We only have 3 Profiles and Sys Admin. We're all about Permission Sets/Groups and he shares a Permission Set Group with many users who don't have this issue. I don't think the issue is with Salesforce. Just a hunch. Thanks again.

0/9000

HI, 

I am working on enabling MFA for our Community Cloud users. I've added the necessary permissions for a few users in the sandbox. We use a custom field(number) for login instead of mobile or email addresses. When a user logs in for the first time, MFA connects successfully with the authenticator. However, after logging out, the user is unable to log back in and is redirected to the login page. I'm unsure how to proceed from here. Your input would be greatly appreciated. 

Thanks.

1 answer
0/9000

Hi,

I am trying to implement MFA for community users with apex so that when they log in some users will need to use the Salesforce Authenticator app to complete the login

I am 1st trying to make the user register with the authenticator app

UserManagement.registerVerificationMethod(Auth.VerificationMethod.SALESFORCE_AUTHENTICATOR, '/');

but I get:

11:43:03.4 (187484011)|EXCEPTION_THROWN|[17]|System.NoAccessException: Insufficient Privileges: You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary.  

 

It seems it returns a page reference with sys admin context but not in community user context

Also when I query TwoFactorMethodsInfo I get

sObject type 'TwoFactorMethodsInfo' is not supported

 

What am I missing, the MFA is not enabled at all ?

I also tried registering SMS and EMAIL as a verification method, those return a page reference (it seems to verify the email/phone number) but when I redirect to the page I get 302 and get redirected to the same page I came from

10 comments
  1. Feb 10, 5:41 PM

    Hey @Jani Ruohomaa

     

    Were you able to implement this? I am trying to implement this currently similar to this. I am using flow from this example :

    https://help.salesforce.com/s/articleView?id=xcloud.security_login_flow_examples.htm&type=5

     

     

    However, I am unable to access the TwofactorInfo object from the flow even I have given myself the "Manage Multi-Factor Authentication in API" permission. Is there anything other than this that I am missing? 

     

    Thanks, 

    Venky

0/9000

I want to set up MFA for partner users, so I don't know their setup. I want to prepare a list of reputable desktop authenticators for users without mobile but am having trouble finding ones. Could I get assistance please or are there any that you recommend? thanks.

3 answers
  1. Jan 23, 7:11 PM

    When setting up MFA for Partner Users do you lose the "Log in as" feature? I know this was an issue in the past

0/9000

I'm curious how to deal with MFA when it is mandatory regarding automated tests that log into the Salesforce UI. 

 

We have a huge library of cucumber/selenium tests that we run against dev orgs.  They currently use username/password to log in to the various orgs.  Obviously, it is impractical to use something like a cellphone app to have someone confirm the logins.  These tests will run for hours and log in 100s of times.

 

Anyone know how to deal with MFA when automated programs will log into the UI?

7 comments
  1. Jan 22, 8:18 PM

    I also want to understand this situation but as per my understanding. We can get the token id from the user using a third party tool where the token id gets generated and entered the user token in the required field to match it.  

     

    Let me know if I need to understand it in different way. 

     

0/9000

A user accidentally removed their Salesforce account from Authenticator. They deleted the app and reinstalled it. After initial set-up (phone number and text, passcode setup) they tried logging in to Salesforce and saw this screen. After clicking on Use a Different Verification Method, selecting the Approve using Salesforce Authenticator option leads them back to the screen below. Selecting the "Use a code from an authenticator app" option didn't seem to help, as the 2-word phrase from Authenticator set-up doesn't work in this step and there's no clear way to generate another type of code from Authenticator.

 

Our Salesforce architect found a temporary solution by turning off MFA for this user and somehow generating a code they could use upon login. But we need to find a way to have this user reconnect their Salesforce account to Authenticator and continue using MFA upon login, as all users in our organization are required to. What should we do?

authenticator Check Mobile Device screen.PNG

4 answers
  1. Jan 14, 2:17 PM

    Hi @Josh Millhouse,

    In my case my id is removed accidentally from salesforce authenticator and now it is asking while login the code from authenticator app. As I am unable to logged into org how to proceed in this case,

0/9000

Hi there

 

I wonder if anyone can answer a couple of questions that I feel sure someone on here will be able to help.

 

  1. Salesforce out of the box users I am assuming these are exempt (Example  | Field Service Optimization user)
  2. Also when the Winter 24 release was applied to our sandboxes I assumed MFA was auto enabled this was not the case, so this would suggest that this will not be auto applied to the production org?

Thanks in Advance

2 answers
  1. Manoj Nambirajan (Dell Technologies) Forum Ambassador
    Sep 22, 2023, 8:25 AM

    @John Pritchett exemption depends on if the user doesnt login for user interface. MFA is applicable for all users who login via user interface (like browser) to salesforce.

     

    and with regards to auto enforcement.. its done in phases with some covered in winter'24 and remaining in spring'24. Below link has details

     

    https://help.salesforce.com/s/articleView?id=release-notes.rn_security_mfa_auto_enablement_phase3.htm&release=244&type=5

     

    hence.. in your org under set up || Identity Verification || Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org.. if the setting is not enabled.. you can do enable and test ins andbox.

     

    and do watch for this checkbox for winter'24. As per shared link.. if enforcement is not meant for winter'24 .. then it could be bound for spring'24.

     

    please also raise a case with salesforce support to get a tentative roll out date for your org

0/9000
3 answers
  1. Dec 30, 2024, 8:53 PM

    Hi @Diane Richardson ,

    It sounds like you're experiencing a frustrating situation with the authentication process.  Here are a few steps you can take to resolve this issue:

    1. Confirm Account Details: Double-check if you might have previously created an account using the same email or phone number. Sometimes, accounts are created during earlier interactions without realizing it.
    2. Reset the Account (if applicable): If the app thinks you own an account but you're unsure, try using the "Forgot Password" option to reset access. This might resolve the issue and allow you to validate your ID.
    3. Clear Cache and Reinstall the App: Sometimes, apps can behave unpredictably due to cached data. Clearing the cache or reinstalling the app might fix the issue.
    4. Contact Support: Reach out to the app's customer support team for assistance. They can help verify your identity and troubleshoot any account-related issues. Provide as much detail as possible about the problem.
    5. Alternative Validation Methods: If the app continues to cause issues, check with your foster program coordinator to see if they offer alternative methods for validating your ID or accessing the classes.

    If you are facing any more issues as mentioned by @sakshi nagpal please share a screenshot of the error for better understanding.

     

    Thanks,

    Shubham

0/9000
1 answer
  1. Feb 1, 2022, 2:12 AM

    @MOHAMMAD FEROZ, your users won't experience any changes on February 1. Salesforce will automatically enable and enforce MFA for direct logins in the future -- the milestones for each Salesforce product are in the MFA Enforcement Roadmap.

     

    Please keep in mind that if your users aren't logging in with MFA starting February 1, you will be out of compliance with your Salesforce service agreements. If you're concerned about being out of compliance for a few days while you finish up your implementation, you can contact your Salesforce representative.

0/9000
1 answer
0/9000