Blog

Enabling MFA in Salesforce

Enabling MFA in Salesforce

This post was written by Kicksaw Solution Architect Andy Szymas and Manager of Solution Architecture Janet Elliott. It was last updated on 11/16/23.

Two Pieces of ID, Please

In today's increasingly complex online environment, a strong multi-factor authentication strategy is extremely important. As of February 2022, Salesforce now requires that you use MFA for your org. MFA is a security policy that requires users to enter two or more pieces of evidence (or factors) to prove they are who they say they are. This is normally one thing you know (i.e. username/password) and one thing you have (i.e. authentication app on your phone).

Kicksaw regularly receives requests for support from clients asking how to enable MFA correctly. We're also getting called in on jobs where the wrong choices were made, resulting in broken integrations. This blog post will help you enable MFA in your org the right way, while keeping your external integrations from erroring.

Enabling MFA in Salesforce

There are two ways to set up MFA in Salesforce:

  1. At the profile or user level with profile settings or permission sets
  2. At the org level with session settings

If you search "how to enable mfa salesforce," the first result is a Salesforce Help article that outlines how to enable MFA via session security levels, which is not recommended due to the risk of breaking API integrations or connections.

This is a risk for clients who may show more initiative and decide to turn on MFA by themselves, without speaking with Kicksaw first, and we put together this quick write-up on the two methods.

Enable MFA at the Profile or User Level (recommended)

You can enable MFA at the profile level with a profile setting or enable it at the user level with a permission set. If you enable via a profile, all users with that profile will be required to use MFA. If you enable via a permission set, you can manage which users get MFA and develop a rollout strategy.

To enable this at the Profile level, go to Settings > Users > Profile and select System Permissions. Select the Multi-Factor Authentication in User Interface setting and mark it to True. Do not select the Multi-Factor Authentication in API setting.

To enable this at the Permission Set level, we recommend creating a permission set just for MFA enablement. Go to Settings > Users > Permission Sets and select New. Name the permission set Enable MFA, then navigate to System Permissions and select Multi-Factor Authentication for User Interface (see above). From here, you have the choice of adding this to your Permission Set Group framework or managing assignments directly on the Permission Set.

Both of these options allow more granular control and allow you to rollout MFA in stages, if necessary.

Enable MFA via Session Settings (not recommended)

You can enable MFA at the Org level using Session Settings as follows:

Go to Setup > Session Settings and move Multi-Factor Authentication to the "High Assurance" category for Session Security Settings.

This is not recommended because it can break API use and logins. Contrary to the Profile or Permission Set methods described above, this method will require MFA on all logins, including logins used for an API Integration or Connected App.

Dedicated Integration Users

You may have user logins that are used solely for API integrations and have the API Only User checkbox set on their profile. If you have these logins and they allow human interaction (i.e. logging in), these do require MFA and you should set this using the Profile or Permission Set option. However, we recommend that you move these to the newer Salesforce Integration user license (there are five free licenses per org for this purpose!). Because these licenses are used solely for API integrations and do not allow for login, they do not require MFA. (P.S. Kicksaw can help you with this also.)

TL:DR

If you're setting up MFA for a client, we recommend using the System Permissions rather than the Session Settings. If a client's API integration suddenly starts failing (with an error such as "Response content: [{'message': 'This session is not valid for use with the REST API', 'errorCode': 'INVALID_SESSION_ID'}]" or similar), verify if the session settings have changed.

We're always happy to help you out with MFA setup or anything to do with your Salesforce setup — just reach out using the Contact Us form at the bottom of this page. Also worth noting: Salesforce offers a Trailhead Quick Start to walk you through the process, if you want to work through that.

No items found.
No items found.