Preparing for Salesforce Phishing-Resistant MFA

FJB Digital Client Advisory - Updated June 2026

Executive Summary

Salesforce is introducing mandatory phishing-resistant Multi-Factor Authentication (MFA) for privileged users and administrators. Organisations should review administrator access, enable compliant authentication methods, register users and complete testing before enforcement dates.

Background and Timeline

Salesforce is rolling out enhanced security controls to reduce phishing, account takeover and data exfiltration risks.

Unlike previous MFA requirements, privileged users must use phishing-resistant authentication methods. Standard authenticator apps and code-based MFA will no longer be sufficient for these accounts.

Key enforcement dates:

  • Sandbox enforcement begins from 22 June 2026
  • Production enforcement begins from 1 July 2026

Who Is Affected?

The new requirement applies to users with the System Administrator profile or users granted any of the following permissions:

  • Modify All Data
  • View All Data
  • Customize Application
  • Author Apex

Authentication Method Comparison

Recommended phishing-resistant methods:

  • Windows Hello
  • Touch ID / Face ID
  • Passkeys
  • YubiKey / FIDO2 security keys

Not sufficient for privileged users:

  • Salesforce Authenticator
  • Microsoft Authenticator codes
  • Google Authenticator codes
  • SMS codes
  • Email verification

FJB Digital Recommended Approach

For most organisations, we recommend using a built-in authenticator as the primary login method, with a physical security key as a backup.

Primary authentication:

  • Windows Hello on Windows devices
  • Touch ID or Face ID on Apple devices
  • Registered separately on every device used to access Salesforce

Backup authentication:

  • One YubiKey registered against the account

This approach provides strong security, a straightforward user experience and a recovery option if a device becomes unavailable.

Administrator Preparation Checklist

  1. Review who genuinely requires administrator access.
  2. Review permission sets granting elevated permissions.
  3. Enable phishing-resistant authentication methods in Salesforce.
  4. Decide the authentication approach to be adopted.
  5. Register authenticators for each privileged user.
  6. Test sandbox and production access.
  7. Confirm all privileged users can authenticate successfully.

Enable Required Salesforce Settings

Before users can register compliant authentication methods, the relevant verification options must be enabled in Salesforce.

Navigate to:

Setup > Identity Verification

Enable the following settings:

  • Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello
  • Let users verify their identity with a physical security key (U2F or WebAuthn)

Obtaining a YubiKey

A YubiKey is a small physical security key that can be used as a phishing-resistant authentication method. It can connect by USB and, depending on the model, NFC.

Recommended models include:

  • YubiKey 5 NFC
  • YubiKey 5C NFC

When purchasing a security key, ensure it supports FIDO2 and WebAuthn.

Registering a YubiKey

Once security keys have been enabled in Salesforce, users can register a YubiKey from their personal settings.

Navigate to:

Settings > My Personal Information > Advanced User Details

Under Security Key (U2F or WebAuthn), select Register and follow the prompts.

Use a clear name for the key, for example:

  • Primary YubiKey
  • Backup YubiKey

Registering Built-In Authenticators

Built-in authenticators use the security features already available on a device, such as Windows Hello, Touch ID or Face ID.

Navigate to:

Settings > My Personal Information > Advanced User Details

Under Built-In Authenticators, select Add and follow the prompts to register the device.

Register Every Device

Built-in authenticators are device-specific. If Salesforce is accessed from multiple devices, registration should be completed on each device.

This may include:

  • Primary laptop
  • Secondary laptop
  • Desktop PC
  • Home working device

Failing to register a device in advance may result in additional authentication prompts or access issues once enforcement begins.

Testing

Before enforcement, privileged users should test access using the chosen authentication methods.

  • Test Windows Hello or Touch ID authentication
  • Test YubiKey authentication
  • Test sandbox login
  • Test production login
  • Verify administrator recovery options

Can I continue using Salesforce Authenticator?

No. Authenticator code-based methods do not satisfy Salesforce's phishing-resistant MFA requirement for privileged users. 

Do I need a YubiKey?

Not necessarily, but we recommend one as a backup authentication method.

Will my current authenticator continue to work?

Yes, up until the cut-off date. It will work alongside your new authentication methods.

Do I need to register every device?

Yes. Built-in authenticators are registered per device, so each device used to access Salesforce should be registered separately.

Summary

Salesforce's new phishing-resistant MFA requirements represent a significant change for administrator accounts.

Organisations should now:

  • Review privileged access
  • Enable phishing-resistant MFA methods
  • Register built-in authenticators on every device
  • Register a YubiKey or equivalent security key as a backup
  • Complete testing before enforcement begins

Taking these steps now will help avoid disruption when Salesforce begins enforcing the new administrator security requirements.

Looking for Help?

FJB Digital delivers Salesforce Business Analysis, Strategy and Solutions.

Contact

About the author

FJB Digital

Salesforce, Microsoft & Umbraco Partner.

How we use cookies

Learn more about how we use cookies to improve your experience.