If you run a Salesforce org, multi-factor authentication isn't optional anymore — and it hasn't been for a while. What's changed recently is how strictly Salesforce is enforcing it, which verification methods are still allowed, and how easily a small misconfiguration can lock half your team out on a Monday morning.
We've been helping clients get ahead of these changes, and a pattern has emerged: most orgs think they're compliant until enforcement tightens and something breaks. This post walks through what's actually changing, who's most at risk, and the practical checklist for getting your org in order.
What's actually changing with Salesforce MFA
Salesforce originally rolled MFA out as a contractual requirement back in 2022. Since then, the platform has progressively closed loopholes and removed weaker authentication methods. Three things in particular are worth paying attention to right now.
1. SMS and email verification are being phased out
For years, users could satisfy MFA by receiving a one-time code via text message or email. That's no longer considered secure enough. Salesforce now expects users to verify through an authenticator app or a physical security key — and orgs still relying on SMS or email-based verification are exposed.
2. A push toward the built-in Salesforce Authenticator app
Third-party authenticators like Google Authenticator or Authy still work for time-based one-time passwords (TOTP), but Salesforce has been actively promoting its own mobile app. The Salesforce Authenticator app offers push approvals, location-based auto-approve, and a smoother login flow that's harder to fumble.
3. Tighter enforcement on edge cases
Orgs that had carve-outs for certain users, login flows that bypassed MFA under specific conditions, or service accounts that were never properly enrolled — those gaps are getting closed. If a user authenticates without MFA today, that's increasingly going to fail tomorrow.
Who's most at risk of disruption
Not every org is equally exposed. The ones most likely to experience a painful rollout are:
- Orgs with users still on SMS or email verification. These users will need to migrate to an authenticator app or a security key. If that migration isn't planned, they'll hit the change cold and start calling for help.
- Teams that log into multiple Salesforce orgs. Consultants, agencies, and family businesses with multiple Salesforce instances tend to have users juggling many enrollments. One missed enrollment is one locked-out user.
- Orgs with older login flows. Custom login flows built years ago sometimes contained logic that effectively bypassed MFA under certain conditions. Those bypasses are no longer reliable.
- Orgs where MFA was rolled out quickly without communication. Users who don't understand why they suddenly need an app on their phone push back, find workarounds, or just stop logging in. Adoption suffers.
The common pitfalls we see
Most MFA problems don't come from Salesforce — they come from how the rollout was handled internally. The mistakes we see most often:
- Assuming "we already did MFA" without auditing who's actually enrolled. Until you check, you don't know.
- Treating MFA as a one-time project instead of an ongoing standard. New hires get onboarded without proper enrollment, and the gap grows over time.
- No fallback plan for lost devices. Someone breaks their phone on a Friday, can't log in Monday, and admin time goes up in smoke. Temporary verification codes and backup methods need to be documented and ready.
- Permission sets that conflict with MFA enforcement. A user with the wrong permission set can be allowed to bypass MFA without anyone realizing it.
- Ignoring integration users. Service accounts and integration users have their own MFA considerations — usually exemptions, but those need to be configured deliberately, not by accident.
A practical MFA readiness checklist
Whether you're doing this yourself or bringing in help, here's the checklist that covers the bases.
Audit your current state
- Pull a report of all active users and their current MFA enrollment status
- Identify who's still on SMS or email verification
- Identify any users without MFA configured at all
- Review your login flows for any logic that conditionally skips MFA
Plan the migration
- Decide your standard: Salesforce Authenticator app for most users, security keys for high-privilege users, TOTP apps as a fallback
- Document your fallback plan for lost or broken devices
- Draft user communication explaining the change and what they need to do
- Set a hard cutover date and communicate it twice — once a few weeks ahead, once a few days ahead
Execute the rollout
- Provide step-by-step enrollment instructions (with screenshots) for your chosen authenticator
- Run an enrollment session for any team members who'd rather walk through it live
- Enable MFA enforcement once enrollment is verified for all users
- Have an admin available for the first few days post-enforcement to handle any lockouts quickly
Maintain over time
- Add MFA enrollment as a step in your new-hire onboarding checklist
- Review enrollment status quarterly
- Reassess any time Salesforce announces new authentication-related changes
When to bring in outside help
If you're a Salesforce admin, or you've got someone internal who can lead this, the checklist above is the playbook. It's not rocket science — just methodical work that has to be done right the first time.
If you don't have someone internal, or this isn't where you want your team spending their hours, that's where we come in. At AeyeCRM, we've been running MFA readiness reviews and rollouts for small businesses and family-operated companies — including consultancies that manage Salesforce across multiple client orgs. We'll audit what's in place, scope the migration, communicate the change to your team, and stay available during the cutover to handle any issues.
How to reach us
If your team is dealing with any of the issues above — or you'd just like a second opinion on whether your org is set up the right way — we'd be glad to talk. A quick call usually gets us to a clear scope and a fixed quote within a day or two.
Reach Philip at philip@aeyecrm.com or get in touch through our Contact Us Page.
We work primarily with small and family-operated businesses on Salesforce setup, customization, integration, and operational improvements — and we'd be happy to help.
About AeyeCRM. AeyeCRM is an Austin-based Salesforce consultancy specializing in setup, customization, automation, and integration for small businesses and family-operated companies. We help teams get more out of Salesforce without overcomplicating it.
.png?width=352&name=generated-image%20(5).png)
