Newer Version Available
Set Multi-Factor Authentication Login Requirements for API Access
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: Essentials, Contact Manager, Database.com, Developer, Enterprise, Group, Performance, Professional, and Unlimited Editions |
| User Permissions Needed | |
|---|---|
| To edit system permissions in profiles: | Manage Profiles and Permission Sets |
| To enable this feature: | Multi-Factor Authentication for User Interface Logins |
The Multi-Factor Authentication for User Interface Logins permission is a prerequisite for the Multi-Factor Authentication for API Logins permission. Users with these permissions must complete MFA when they log in to Salesforce through the UI. Users with mobile devices can use the Salesforce Authenticator mobile app or a third-party authenticator app as a verification method for MFA. Then they can use verification codes (time-based one-time passwords, or TOTP) from the app to complete MFA.
For developer tools that use API logins, users log in with a security token or TOTP instead of Salesforce Authenticator when MFA is enabled.
For connected apps, only the OAuth 2.0 refresh token flow, web server flow, and user-agent flows support using API logins with the high assurance MFA session security level. All other OAuth flows, such as the JSON Web Token (JWT) bearer token flow, block API logins with the high assurance MFA session security level. It’s possible that users are prompted to verify their identity twice with high assurance MFA during an OAuth approval flow. The first challenge occurs in the UI session. The second challenge happens when the access token is bridged into the UI. This second challenge is triggered because the high assurance MFA session security level isn’t transferred to the access token. For more information, see Session Security Levels and Enable MFA with Session Security Levels.