Newer Version Available

This content describes an older version of this product. View Latest

Set Up Two-Factor Authentication

Admins enable two-factor authentication through permissions or profile settings. Users register devices for two-factor authentication—such as mobile authenticator apps or U2F security keys—through their own personal settings.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

You can customize two-factor authentication in the following ways.
  • Require it for every login. Set the two-factor login requirement for every time the user logs in to Salesforce. You can also enable this feature for API logins, which includes the use of client applications like the Data Loader. For more information, see Set Two-Factor Authentication Login Requirements or Set Two-Factor Authentication Login Requirements for API Access.
  • Use “stepped up” authentication (also known as “high assurance” authentication). Sometimes you don’t need two-factor authentication for every user’s login, but you want to secure certain resources. If the user tries to use a connected app or reports, Salesforce prompts the user to verify identity. For more information, see Session Security Levels.
  • Use profile policies and session settings. First, in the user profile, set Session security level required at login to High Assurance. Then set session security levels in your org’s session settings to apply the policy for particular login methods. In your org’s session settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance column. For more information, see Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities.

    If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.

    Warning

    Only authentication flows that include a user approval step support using API logins with the High Assurance session security level. These flows are the OAuth 2.0 refresh token flow, web server flow, and user-agent flow. All other flows, such as the JSON Web Token (JWT) bearer token flow, don’t include a user approval step. For flows without a user approval step, API logins with the High Assurance session security level are blocked.

    Users might be prompted to verify their identity with two-factor authentication twice during the OAuth approval flow. The first challenge is on the UI session. The second challenge happens when the access token is bridged into the UI, because the High Assurance session security level isn’t transferred to the access token.

  • Use login flows. Use the Flow Designer and profiles to build post-authentication requirements as the user logs in, including custom two-factor authentication processes. For more information, see the following examples.