How to Prepare Your Salesforce Org for Salesforce's New Phishing-Resistant MFA Requirement

Salesforce is enforcing phishing-resistant MFA for administrators and privileged users. Learn who is affected, key deadlines, and how higher education institutions can prepare.

Redpath TeamJune 12, 20264 min read
How to Prepare Your Salesforce Org for Salesforce's New Phishing-Resistant MFA Requirement

How to Prepare Your Salesforce Org for Salesforce’s New Phishing-Resistant MFA Requirement

By

Published On: June 12, 2026

Protecting constituent data has never been more important. Whether you’re managing student records, donor information, research data, or institutional operations, security expectations continue to evolve.

To strengthen protection against increasingly sophisticated phishing attacks, Salesforce is introducing a new phishing-resistant multi-factor authentication (MFA) requirement for users with elevated system access.

While the change impacts a relatively small group of users, institutions should begin preparing now to avoid disruption when enforcement begins this summer.

Here’s what is changing, who is affected, and what steps you can take today to ensure a smooth transition.

What is Changing?

Currently, many users rely on “Standard MFA” tools—such as the Salesforce Authenticator app, Google Authenticator, or SMS text codes—to verify their identity at login.

While these tools are great for general users, they are still vulnerable to sophisticated phishing attacks. To combat this, Salesforce is enforcing Phishing-Resistant MFA for users with the highest levels of access. This means that standard authenticator apps will no longer work for these users. Instead, they will be required to use Passkeys, which include:

  • Built-In Authenticators: Verification tools tied directly to your device, such as Apple’s Touch ID / Face ID or Windows Hello.
  • Security Keys: Physical hardware keys, such as a YubiKey, that plug into your computer’s USB port.

The goal is straightforward: reduce the risk that a privileged user account could be compromised through phishing, credential theft, or social engineering attacks.

When does this happen?

This requirement will be enforced on a rolling basis, starting June 22, 2026, for Sandbox environments and July 1, 2026, for Production environments.

Who is affected?

Most Salesforce users will not be impacted by this change. The requirement specifically applies to privileged users with elevated administrative or system-level access. You will need to use a Passkey to log in if your user record is assigned:

  • The System Administrator profile
  • The Modify All Data permission
  • The View All Data permission
  • The Customize Application permission
  • The Author Apex permission

If a user with these permissions tries to log in using a standard authenticator app after the enforcement date, they will be blocked from accessing Salesforce until they register a compliant Passkey

A Silver Lining: Passwordless Login

While a new security mandate might sound like a headache, there is actually a massive benefit to this update: faster logins! Because Passkeys are incredibly secure, Salesforce allows you to enable “Passwordless Login.” Once enabled, your admins can skip typing their password entirely. They simply enter their username, use their computer’s fingerprint scanner or facial recognition, and they are instantly securely logged in. It’s a win for both security and convenience.

Your 5-Step Action Plan

To prevent your administrators from getting locked out this July, we recommend taking the following steps as soon as possible:

  1. Audit Your Users

Take a look at your Salesforce users and identify anyone with the System Administrator profile or the specific permissions listed above. Identify impacted users and communicate the upcoming changes well in advance of the enforcement dates.

  1. Enable Passkeys in Your Org

You will need to ensure your org allows these new login methods.

  • Go to Setup, type “Identity Verification” into the Quick Find box, and select it.
  • Ensure the options for Built-In Authenticators and Security Keys are checked and enabled.
  1. Turn On Passwordless Login

While you are on the Identity Verification page, scroll to the General section and check the box for “Allow passwordless login with passkeys.” Click Save.

  1. Check Your Single Sign-On (SSO) Settings

If your institution uses a Single Sign-On provider (like Okta or Microsoft Entra) to log into Salesforce, this requirement still applies. Your SSO provider must be configured to pass specific “phishing-resistant” signals to Salesforce. If it doesn’t, your admins will be prompted to register a Passkey directly within Salesforce, even if they logged in via SSO.

  1. Have Privileged Users Pre-Register

Don’t wait for the enforcement date! Have your admins and privileged users register their built-in authenticators or security keys now. They can do this by navigating to their personal settings, finding “Advanced User Details,” and registering a Built-In Authenticator or Security Key.

(Note: If you currently use the “Waive Multi-Factor Authentication for Exempt Users” permission for automated testing tools or similar use cases, this waiver will be disabled upon enforcement. You must contact Salesforce Support to retain this exemption.)

Need help preparing?

Security requirements continue to evolve, and many institutions are balancing these changes alongside competing priorities.

Redpath helps higher education institutions assess Salesforce security configurations, prepare administrators for upcoming platform changes, and navigate complex identity and access management requirements.

If you’d like assistance evaluating your readiness for Salesforce’s phishing-resistant MFA requirement, our team would be happy to help.

Ready when you are

Let's find the clearer path for your institution.

Talk to a Redpath Architect
How to Prepare Your Salesforce Org for Salesforce's New Phishing-Resistant MFA Requirement — Redpath Consulting Group · Redpath Consulting Group