Salesforce now requires Multi-factor Authentication (MFA) which is mandatory for all direct UI logins in order to prevent security breaches that can happen due to credential theft or weak passwords. However, the enforcement varies based on how users access Salesforce, particularly for automated integrations.
In this article we will explain what is Multi-factor authentication, who is impacted by and exempt from the Salesforce MFA and how it affects integrations and what actions to take in order to avoid any disruptions in regards to your integration.
WHAT IS Salesforce MULTI-Factor Authentication (MFA)?
Salesforce Multi-Factor Authentication (MFA) adds an extra layer of security to your account login process. Instead of relying solely on a username and password, MFA requires an additional verification step—this could be a code from a mobile app, a hardware security key, or a one-time passcode delivered via SMS or email. By combining something you know (your password) with something you have (the additional factor), Salesforce makes it much harder for unauthorized users to gain access to your account, even if your password is compromised.
Methods of Salesforce Multi-Factor Authentication (MFA)
Salesforce has implemented Multi-Factor Authentication (MFA) as an extra layer of security to protect user accounts from unauthorized access. Instead of relying solely on a username and password, MFA requires users to verify their identity using a second authentication factor. Options include:
- Salesforce Authenticator App: Push notification-based approval.
- Third-party Authenticator Apps: Such as Google Authenticator, Microsoft Authenticator, or Authy.
- Security Keys: Hardware-based authentication like YubiKey.
- One-time passcodes: Delivered via SMS or email (depending on company policy).
Who is impacted by Salesforce MFA?
MFA applies to any user logging into Salesforce through the standard login page or any application that requires an interactive login. The following user types are affected:
1. Standard Salesforce Users (Admins and Regular Users)
- If a user logs in via the Salesforce UI (including Salesforce Classic, Lightning Experience, or mobile apps), they must complete MFA authentication every time they log in.
- This applies to system administrators, sales users, customer service representatives, and other employees who use Salesforce interactively.
2. Users Accessing Salesforce via SSO (Without MFA at the IdP Level)
- If a company uses Single Sign-On (SSO) but does not enforce MFA at the Identity Provider (IdP) level (e.g., Okta, Azure AD, Ping Identity), Salesforce will require MFA upon login.
- If MFA is already enforced at the IdP level, Salesforce does not require an additional MFA challenge.
Who is exempt from the Salesforce MFA?
Certain users and authentication methods do not require MFA enforcement, including:
1. API-Only and Integration Users
- Users who authenticate using API keys, OAuth flows, or security tokens do not require MFA.
- This exemption exists because API-based authentication methods already use secure token-based authentication, reducing the risk of credential-based attacks.
2. Users Logging in via SSO (with MFA at the IdP Level)
- If MFA is enforced through the organization’s Identity Provider (IdP) (e.g., Okta, Microsoft Azure AD, PingFederate), Salesforce considers this sufficient security.
- In this case, the user does not need to complete an additional MFA challenge inside Salesforce.
3. Guest and Public Users
- Unauthenticated guest users (such as those accessing a public Experience Cloud site) are not subject to MFA enforcement.
How Does MFA Impact Salesforce Integrations?
If an integration relies on a regular user’s credentials for authentication (e.g., logging in with a username and password), it will fail once MFA enforcement is enabled. This is because:
- The integration will require a second authentication factor, which cannot be provided automatically.
For example, if an iPaaS connects to Salesforce using a regular user’s login credentials, it will break once MFA is enforced.
Solution: Best Practices for Avoiding MFA-Related Integration Failures
To prevent disruptions, integrations should use authentication methods that bypass the need for interactive MFA:
Use a Dedicated API-Only Integration User
- Instead of using a standard user account for integrations, create a dedicated API user that is exempt from MFA.
- This user should have only the permissions required for the integration.
To make the switch from using a regular user for any integration to a dedicated API-only integration user, follow these steps:
- Follow the steps in this article on how to set up your salesforce integration user.
- After you have configured your integration user correctly, you would need to re-authorize your current Salesforce connection within MyRapidi via the new integration user.
And that’s it!
Using a dedicated API-only integration user is essential for security, stability, and compliance. Also, an API-only integration user is specifically configured for system-to-system communication, ensuring uninterrupted access at all times.
If you need assistance please contact our support team.
