# Salesforce is enforcing phishing-resistant MFA: What you need to know Salesforce is enforcing phishing-resistant MFA for privileged users starting July 1, 2026. Learn what's changing, what qualifies, and how to get compliant quickly with Bitwarden. --- AI-powered phishing and social engineering attacks have made traditional MFA methods increasingly easy to bypass. To better protect the most privileged accounts on its platform, Salesforce announced phishing-resistant standards that provide a stronger defense against sophisticated identity-based threats. Starting July 1, 2026, Salesforce will enforce phishing-resistant MFA for all privileged users, including admins. Organizations must act before that deadline to maintain access. Read on to learn about what's changing, what qualifies, and how to get compliant quickly. ## What's changing Salesforce has long recommended MFA for all users. Now it will be enforced. As of July 1, 2026, Salesforce will be enforcing two tiers of MFA requirements simultaneously: 1. For [all employee users, standard MFA is now required](https://help.salesforce.com/s/articleView?id=005321561&type=1) on every login, whether direct or through SSO. 2. For [all privileged users, the bar is higher](https://help.salesforce.com/s/articleView?id=005321563&type=1). Only phishing-resistant MFA methods, which are those built on FIDO2/WebAuthn standards, will meet the requirement. This also applies to direct logins and SSO logins, across both production and sandbox orgs. The privileged user enforcement applies to anyone with the System Administrator profile or any of the following permissions: Modify All Data, View All Data, Customize Application, or Author Apex. Users who have not enrolled in a compliant method by the deadline will be blocked from logging in. ## What qualifies as phishing-resistant MFA For privileged users, standard MFA methods are no longer sufficient. This includes one-time passcodes from authenticator apps like Google Authenticator or Duo, SMS codes, and push notification approvals. These methods share a common vulnerability: they can be intercepted or entered on a spoofed site, making them susceptible to the exact attacks Salesforce is trying to prevent. Additionally, SSO alone does not guarantee compliance. If an organization uses an identity provider, that provider must pass a signal to Salesforce confirming that the user authenticated with a phishing-resistant method. Logging in through SSO with a password and standard TOTP code will not meet the requirement. Salesforce recognizes three phishing-resistant MFA methods: 1. **Built-in authenticators:** Device-based methods such as Windows Hello, Apple Touch ID, Face ID, and Android passkeys. These are convenient but device-bound, meaning if a device is lost, account recovery is required. 2. **Hardware security keys:** Physical keys such as YubiKey that connect via USB, NFC, or Bluetooth. These are highly secure but require carrying additional hardware and managing backups. 3. **Cloud-synced passkeys:** Passkeys managed through a FIDO2-compliant password manager. Unlike device-bound methods, cloud-synced passkeys sync across all devices. Salesforce explicitly confirms that password managers including Bitwarden meet the phishing-resistant MFA requirement. ## Get compliant quickly with Bitwarden All three options listed above meet Salesforce's phishing-resistant MFA requirement. The difference comes down to practicality. Cloud-synced passkeys offer the security of phishing-resistant MFA with the most convenience. Because they are stored in an encrypted password manager vault and synced across devices, privileged users can authenticate from any device without relying on a single device or piece of hardware. For most organizations, cloud-synced passkeys are the most practical path to compliance. Bitwarden is explicitly named by Salesforce as a qualifying cloud-synced passkey solution. Passkeys stored in Bitwarden are encrypted, synced across all devices, and ready to use wherever privileged users log in. For teams managing multiple users, Bitwarden enterprise controls make it straightforward to roll out passkeys org-wide, with SSO integration, directory sync, and detailed event logs to support compliance and auditing. An open source, independently audited password manager trusted by 80,000+ businesses, Bitwarden brings an additional layer of transparency and trust to passkey management. ## Be ready before July 1, 2026 With the July 1 deadline approaching, now is the time to act. Get started with a [free business trial](https://bitwarden.com/de-de/go/start-enterprise-trial/) or [contact sales](https://bitwarden.com/de-de/contact-sales/) to get privileged users compliant in time. ## Sorgen Sie jetzt für leistungsstarke, vertrauenswürdige Passwortsicherheit und wählen Sie Ihr Abo. ## Privatpersonen ### Fangen Sie gerade erst an? *Sichern Sie sich noch heute eine grundlegende Passwortverwaltung. Immer kostenlos.* *pro Monat* *Für immer kostenlos* [Kostenloses Konto erstellen](https://bitwarden.com/go/start-free/) --- ### Premium **$1.65** *pro Monat* *$19.80 bei jährlicher Abrechnung* Profitieren Sie von Premium-Funktionen - Integrierter Authenticator - Dateinanhänge - Notfallzugriff - Phishing-Blocker - Sicherheitsberichte und mehr Teilen Sie Elemente in Ihrem Tresor mit einem anderen Nutzer [Premium-Konto erstellen](https://bitwarden.com/go/start-premium/) --- ### Familien **$3.99** *pro Monat* *Bis zu 6 Nutzer, $47.88 bei jährlicher Abrechnung* Sichern Sie die Zugangsdaten Ihrer Familie - 6 Premium-Benutzerkonten - Unbegrenztes Teilen von Elementen - Unbegrenzt viele Sammlungen - Organisationen erstellen Teilen Sie Elemente in Ihrem Tresor mit sechs Personen [Kostenlose Familien-Testversion starten](https://bitwarden.com/go/start-families-trial/) --- Die Preise werden in US-Dollar angezeigt und basieren auf einem Jahresabonnement (Steuern nicht inbegriffen). ## Unternehmen ### Teams *Für Teams und wachsende Unternehmen, die schnell handlungsfähig sein müssen.* **$4** *pro Monat und Nutzer, jährlich abgerechnet* **Keine Kompromisse** Alle Premium-Funktionen, darüber hinaus erweiterte Leistungsmerkmale: - Anmeldedaten sicher teilen - Aktivitäten in Ereignisprotokollen verfolgen - Bestehende Verzeichnisse synchronisieren - Automatisierte Bereitstellung mit SCIM [Kostenlos ausprobieren](https://bitwarden.com/go/start-teams-trial/) --- ### Enterprise *Für Unternehmen, die umfassenden Schutz und volle Kontrolle benötigen.* **$6** *pro Monat und Nutzer, jährlich abgerechnet* **Maximaler Schutz** Alle Premium- und Teams-Funktionen, außerdem unternehmensweite Optionen: - Feinjustierte Zugriffskontrolle - Passwortlose SSO-Integration - Einfache Wiederherstellung von Konten - Möglichkeit, selbst zu hosten - Access Intelligence (Abhilfe bei Risiken) - Kostenloses Familien-Abo für alle Nutzer [Kostenlos ausprobieren](https://bitwarden.com/go/start-enterprise-trial/) --- ### Mit dem Vertrieb sprechen *Große Unternehmen sprechen direkt mit einem Experten über einen maßgeschneiderten Plan und erfahren so, wie Bitwarden sie unterstützt:* *per month* - Risiken bei Internetsicherheit verringern - Produktivität steigern - Nahtlose Integration Bitwarden skaliert mit Unternehmen jeder Größe, um für Passwortsicherheit in Ihrer Organisation zu sorgen [Mit dem Vertrieb sprechen](https://bitwarden.com/talk-to-sales) --- Die Preise werden in US-Dollar angezeigt und basieren auf einem Jahresabonnement (Steuern nicht inbegriffen).