As of February 1, 2022, Salesforce requires all customers to use multi-factor authentication (MFA) when accessing Salesforce products. To help customers meet this requirement, Salesforce is automatically enabling MFA for production orgs in several phases via the MFA Auto-Enablement Release Update. For orgs in the first phase, MFA is auto-enabled with Spring ’23. For orgs in the second phase, MFA is auto-enabled with Summer ’23.
Where: This change applies to Lightning Experience, Salesforce Classic, and all Salesforce mobile apps in all editions.
When: To know when your production org is affected, monitor the Release Update node in Setup for the MFA Auto-Enablement Release Update.
- Phase 1 orgs: The release update for this phase was made available in Winter ’23 and goes into effect with Spring ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab. Note that the MFA release update usually takes effect at the time your org is updated to Spring ’23, but in some cases there could be a delay of several hours to a few days before MFA is auto-enabled for your users.
- Phase 2 orgs: If you see the release update after Spring ’23 finishes rolling out, your org is scheduled to be auto-enabled with Summer ’23. In rare cases, it can take several weeks for the update to appear after the Spring ’23 release is complete.
- For orgs not included in phase 1 or 2, the release update will be available in a later release.
How: The release update automatically turns on this setting: Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org. Users who have the Multi-Factor Authentication for User Interface Logins user permission experience no changes.
When MFA is turned on for your org, the process for logging in to the UI changes. After a user enters their username and password, they must verify their identity with an MFA verification method such as an authenticator app, security key, or built-in authenticator. If users haven’t done so already, they’re prompted to register a verification method the next time they log in after this release update goes into effect.
To prepare for this update, we recommend taking these steps.
- Verify whether your org has exempt user types that need to be manually excluded from MFA before MFA auto-enablement occurs. See Exclude Exempt Users from MFA in Salesforce Help.
- Train your users on how to acquire, register, and log in with MFA verification methods. See Change Management for a Successful MFA Rollout for guidance and customizable templates.
If your users aren’t prepared to start using MFA when Salesforce auto-enables it, you have two options.
- Your users can skip MFA registration for 30 days and can log in as usual. This grace period begins on the day the org is auto-enabled, and the same 30-day window applies to all users in the org. For example, if a user logs in five days after their org was auto-enabled, 25 days remain before they’re required to register for MFA.
- In the unlikely event that users experience issues with MFA, you can temporarily disable it. But keep in mind that when your org reaches the MFA enforcement milestone in the future, Salesforce will re-enable MFA and the option to disable it will be removed.
- From Setup, in the Quick Find box, enter Identity, and then select Identity Verification.
- Deselect Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org.
- Save your changes.
MFA Auto-Enablement: Find Out When and How Your Org Is Affected (Release Update) (salesforce.com)