Read this blog to learn everything you need to know about Salesforce's MFA requirements and discover how Thales is ready to help you meet the new compliance challenge, while greatly enhancing your hybrid and multi-cloud cybersecurity posture.
Why is Salesforce enforcing MFA and what does it mean for my organization?
Salesforce is mandating multi-factor authentication (MFA) to help organizations better protect sensitive customer and user data stored in its platforms. The mandate applies to users logging into Salesforce starting February 1, 2022, and is designed to reduce the risk of account takeover and data breaches.
There are two main implications for your organization:
- Contractual and legal exposure: SFDC has stated that customers who do not enable appropriate MFA will be out of compliance with their contractual obligations. That can introduce legal and regulatory risk, so it’s important to involve your legal and compliance teams.
- Increased cyber risk: The attack landscape is expanding, and attackers are targeting credentials more aggressively. According to Google’s Safe Browsing report, the number of phishing websites grew by 80% in 2020. At the same time, about 90% of data breaches start with compromised credentials. Relying on passwords alone (single-factor authentication) leaves a significant gap.
Because Salesforce is a core system for many enterprises, non-compliance can also create operational risk if access is disrupted. Enabling MFA is a practical way to mitigate these risks and align with broader security best practices across your SaaS environment, not just Salesforce.
What MFA methods does Salesforce accept and how does Thales support them?
Salesforce does not prescribe a single MFA technology, but it does require that your chosen method align with NIST guidelines. As a result, some common methods are not accepted as MFA for SFDC, including:
- Email-based authentication
- SMS one-time passwords
- Voice-based authentication
Instead, Salesforce allows you to either:
- Use Salesforce’s own authentication service, or
- Use a third-party MFA and SSO provider, such as Thales SafeNet Trusted Access.
How Thales SafeNet Trusted Access helps:
- Fast deployment: As a native cloud solution, SafeNet Trusted Access can enable MFA for Salesforce in a matter of minutes, helping you meet the mandate without a long project.
- Broad authentication options: It supports a wide range of authentication methods so you can match different user profiles and risk levels.
- Smart SSO and policy-based access: You can define granular access policies and provide single sign-on across Salesforce and other apps, balancing security with user convenience.
- Audit and compliance: The platform maintains a detailed audit trail of all access and authentication events, which supports compliance and incident investigations.
By using a third-party solution like SafeNet Trusted Access, you can not only satisfy Salesforce’s MFA requirement but also reimagine how you secure access to other cloud, web, and on-premises applications.
Why should we extend MFA beyond Salesforce to our wider SaaS and data environment?
Meeting the Salesforce MFA mandate is an important step, but focusing only on SFDC leaves other parts of your environment exposed. Attackers typically look for the easiest way in, and weak or reused passwords across different SaaS apps are a common entry point.
Several trends highlight why a broader approach makes sense:
- Credential-driven breaches: Around 90% of data breaches start with compromised credentials, not just in Salesforce but across email, collaboration, and line-of-business apps.
- Growing phishing activity: With an 80% increase in phishing websites in 2020, users are more likely to be tricked into revealing passwords for any cloud service they use.
- Unstructured data risk: While 75% of organizations feel confident in their data security, 68% admit much of their unstructured data remains unprotected, creating blind spots in files, documents, and shared content.
Extending MFA and access controls across your SaaS and data landscape helps you:
- Mitigate the risk of unauthorized access and data breaches, regardless of which application is targeted.
- Align with evolving regulations and data breach notification “safe harbor” clauses, which often recognize strong security controls.
- Prepare for emerging risks, including AI-driven threats and, longer term, post-quantum security challenges.
Platforms like Thales SafeNet Trusted Access, combined with Thales’ broader data security portfolio (HSMs, data security platforms, and guidance from resources such as the Thales Data Threat Report and Digital Trust Index), help organizations rethink access management and data protection in a more integrated way—across Salesforce, other SaaS apps, and critical data wherever it resides.