identity – lekkimworld.com

Salesforce is enforcing stronger MFA requirements come June 2026 – act now!

Last week I presented together with a colleague at Salesforce World Tour in Oslo, Norway, on Salesforce security and among other things we covered the upcoming changes to the MFA (multi factor authentication) requirements for internal user logins to Salesforce Sales and Service Cloud. This sparked a lot of discussion after the session so it seems more focus on this is needed. There are a number of things you should make a note of and act on if you’re a Salesforce administrator:

This applies both to production environments (orgs) as well as sandbox environments
The employed MFA must be strong i.e. email and SMS is not enough
Even if MFA is performed at an identity provider it will only be recognized by Salesforce if signaled using the industry standard amr / acr claims
There are even stronger MFA requirements for admins / privileged users i.e. users with Modify All Data, View All Data, Author Apex or Customize Application permissions
This applies only to logins through the user interface i.e. OAuth flows without any user interface component is not affected (i.e. client_credentials flow)
Ensure your contact details are up to date with Salesforce and you monitor and act on communication from Salesforce

I’ve created a script to help you find the privileged users as the permission may be assigned using profile, permission sets or permission set groups. The script is in my salesforce-mfa-requirement Github repo.

The simple and easy solution for enterprise customers is to ensure the IdP sends the required claims to Salesforce and use passkeys for sandbox login.

Salesforce Identity Video – Email Templates including translation

This video talks about the email templates used for sending communications to the users of Salesforce Identity such as forgot password emails etc. I also go into translation of the emails using custom labels.

Salesforce Identity Video – MFA Enablement

This video shows how Salesforce Authenticator may be used as second factor for users logging in with Salesforce Identity. This video shows the out-of-the-box user interface but the interface may be customized.

Salesforce Identity Video – Internationalization (i18n) / Localization (l10n)

This video shows how to use custom labels and translations to provide localization of the login and/or signup experience in Salesforce Identity.

Salesforce Identity Video – PoC on Preventing Sign-in / Sign-up Page Reload

This video shows a proof-of-concept implementation using the Experience Id to customize the login experience to make login pages and sign-up pages single use. This could be used to prevent users from sending links to sign up pages to one another if consent screens needs to be shown prior to the login experience.

Salesforce Identity Video – Demo app Setup and Walk-through

This video is all about working with Salesforce, including setting up an org with the Salesforce CLI and configuring Salesforce Identity.

Salesforce Identity videos

Over the last few weeks I’ve spent a fair amount of time working with Salesforce Identity. Salesforce Identity is a very capable offering and offers a fully functional and very configurable identity provider (IdP) at a very competitive price compared to other identity providers on the market. Part of this work has been show casing a number of elements of Salesforce Identity from setting it up as a developer, to working with email templates and translations. To scale it I’ve recorded it as videos and wanted to share them on the blog in case someone could learn from it.

I’ll be posting the videos over the next couple of days. I’ve recorded videos on the following topics:

Working with Salesforce, including setting up and org, Salesforce CLI, configuring Salesforce Identity
PoC on Preventing Sign-in / Sign-up Page Reload
Internationalization (i18n) / Localization (l12n)
Email Templates including translation
MFA Enablement

The videos use two repositories I’ve created for the demos: