As we previously communicated, the contractual requirement to use multi-factor authentication (MFA) for Salesforce products is in full effect as of February 1, 2022. To help customers satisfy this requirement, Salesforce automatically enabled MFA for direct logins to existing production orgs. And starting April 2024, MFA is turned on by default for new production orgs. Because of high MFA adoption rates for products built on the Salesforce Platform, we’re shifting to a new notification model instead of enforcing MFA in Summer ’24.
Where: This change applies to Lightning Experience, Salesforce Classic, and all Salesforce mobile apps in all editions.
When: Salesforce completes auto-enabling MFA for customers’ orgs in Spring ’24. MFA non-compliance notifications are targeted to begin in Summer ’24, in lieu of the MFA enforcement milestone that was scheduled for the same release.
Why: The Salesforce program to automatically enable MFA has been extremely successful thanks to the partnership of our customers and their commitment to safeguarding user account access. Because of high adoption rates and wanting to be respectful of your time and resources, we’re shifting away from the original plan to technically enforce MFA. Instead we’re implementing in-app notifications that appear if MFA has been disabled for a Salesforce org.
How: With upcoming MFA notifications, admins start receiving in-app messages if the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting is disabled after Salesforce turns it on for your production org. These recurring messages warn that the org is out of compliance with the contractual MFA requirement and provide guidance on how to re-enable MFA. More details are coming in the Salesforce Summer ’24 Release Notes.
MFA Enforcement for Salesforce Orgs Is Shifting to In-App Notifications Starting in Summer ’24