Set Two-Factor Authentication Login Requirements
You can require two-factor authentication each time a user logs in with a username and password to Salesforce, including orgs with custom domains created using My Domain. To set the requirement, select the Two-Factor Authentication for User Interface Logins permission in the user profile (for cloned profiles only) or permission set.
See how to set up a two-factor authentication requirement for your org and how your users can use the Salesforce Authenticator app. Salesforce Authenticator: Set Up a Two-Factor Authentication Requirement (Salesforce Classic)
Users with the Two-Factor Authentication for User Interface Logins permission have to provide a second factor, such as a mobile authenticator app or U2F security key, each time they log in to Salesforce.
You can also use a profile-based policy to set a two-factor authentication requirement for users assigned to a particular profile. Use the profile policy when you want to require two-factor authentication for users of the following authentication methods:
- SAML for single sign-on
- Social sign-on in to Salesforce orgs or Communities
- Username and password authentication into Communities
All Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on through an authentication provider, are supported. In the user profile, set Session security level required at login to High Assurance. Then set session security levels in your org’s session settings to apply the policy for particular login methods. Also in your org’s session settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance column.
Users might be prompted to verify their identity with two-factor authentication twice during the OAuth approval flow. The first challenge is on the UI session. The second challenge happens when the access token is bridged into the UI, because the High Assurance session security level isn’t transferred to the access token.
- Two-Factor Authentication
- Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities
- Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
- Verify Your Identity with a One-Time Password Generator App or Device
- Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
- Disconnect a User’s One-Time Password Generator App
- Methods for Verifying Your Identity
- Custom Login Flows
- Generate a Temporary Identity Verification Code
- Expire a Temporary Verification Code
- Delegate Two-Factor Authentication Management Tasks
- Identity Verification History