The short version: Salesforce is enforcing phishing-resistant Multi-Factor Authentication (MFA) for users, starting with System Admins and other privileged users, and the deadline is closer than you'd like (July!).
Most of us are already used to MFA — that extra step where you confirm your login with a code on your phone. Phishing-resistant MFA is a stronger version that can't be tricked by fake login pages or intercepted codes. Think hardware security keys or your device's built-in fingerprint or face recognition.
Most of us are already used to MFA — that extra step where you confirm your login with a code on your phone or by clicking approve/allow in your phone authenticator app. These are the 2 methods that are not phishing resistant (a push action or a code).
Salesforce is requiring this across the board as part of a big push to make the platform safer.
Nonprofits often have a mix of full-time staff, part-timers, and volunteers all accessing Salesforce — sometimes on different devices, sometimes on shared ones. And if your team isn't already set up with a password manager or consistent device security, getting everyone across this change quickly is probably harder for you than it is for a business with a dedicated IT team.
The good news is it's very manageable if you start now.
Where to start
-
Check your Salesforce email notifications to find out your specific deadline
-
Make a list of everyone who logs into your Salesforce org
-
Look at what devices they're using and whether they support passkeys or biometrics
-
Consider a password manager if you don't have one — it makes ongoing security much easier
-
Rope in your IT team or a trusted partner (like us!) to help
Please don't put this one in the "we'll get to it" pile. The turnaround is short and the last thing you want is disruption to your team's access to your data.
Note: Salesforce emailed a Product & Service Notification about this on 6 May. More information in this article.
