Phishing-resistant Multi-Factor Authentication (MFA) for privileged users and admins
What's happening?
Salesforce is enforcing phishing-resistant Multi-Factor Authentication (MFA). This is for all users with the System Administrator profile, Modify All Data, View All Data, Customize Application, or Author Apex permissions. The change applies to direct UI logins and Single-Sign-On (SSO) logins, across both production and sandbox orgs.
Different MFA types
| Tier | Direct Salesforce Login (Salesforce MFA verifiers) | SSO (AMR/ACR Signals from your Identity Provider) | Result |
|---|---|---|---|
| Phishing-resistant MFA | Security Keys (WebAuthn), Built-in Authenticators (Touch ID, Windows Hello) | cert, fido, fido2, fpt, hwk, iris, pin, pki, pop, retina, sc, smartcard, swk, TLSClient, user, vbm, wia, x509 | Successful login. |
| Standard MFA | Salesforce Authenticator, TOTP Apps (Google/Microsoft Auth), and Admin-Generated Temporary Verification Codes | face, mobiletwofactorcontract, multipleauthn, okta_verify, passkey, webauthn | Login blocked until enrollment and use of phishing-resistant MFA verifiers. |
| Weak/no MFA | No MFA | pwd, sms, tel, email | Login blocked until enrollment and use of phishing-resistant MFA verifiers. |
-
Sandboxes: Starting June 22, 2026, staggered over approximately seven days
-
Production: Starting July 1, 2026, staggered over approximately 30 days
Will this affect you?
If any users with the permissions we listed above don't log in via Phishing resistant MFA methods, they can't use the system. If they don't use SSO where your identity provider sends a phishing-resistant MFA signal (AMR/ACR), they can't log in.
The system will block users from logging in until they register a phishing-resistant MFA method.
Recommended action
Ensure any users with the permissions above who log in directly to Sage People are using Phishing resistant MFA methods.
If you use SSO, ensure your identity provider sends a phishing-resistant MFA signal (AMR/ACR) for any users with the above permissions.
For more information, see the Salesforce article Phishing-resistant MFA enforcement for privileged users and admins.