Salesforce is enforcing phishing-resistant MFA: What you need to know

AI-powered phishing and social engineering attacks have made traditional MFA methods increasingly easy to bypass. To better protect the most privileged accounts on its platform, Salesforce announced phishing-resistant standards that provide a stronger defense against sophisticated identity-based threats.

Starting July 1, 2026, Salesforce will enforce phishing-resistant MFA for all privileged users, including admins. Organizations must act before that deadline to maintain access. Read on to learn about what's changing, what qualifies, and how to get compliant quickly.

Salesforce has long recommended MFA for all users. Now it will be enforced.

As of July 1, 2026, Salesforce will be enforcing two tiers of MFA requirements simultaneously:

1. For all employee users, standard MFA is now required on every login, whether direct or through SSO.

2. For all privileged users, the bar is higher. Only phishing-resistant MFA methods, which are those built on FIDO2/WebAuthn standards, will meet the requirement. This also applies to direct logins and SSO logins, across both production and sandbox orgs. The privileged user enforcement applies to anyone with the System Administrator profile or any of the following permissions: Modify All Data, View All Data, Customize Application, or Author Apex.

Users who have not enrolled in a compliant method by the deadline will be blocked from logging in.

For privileged users, standard MFA methods are no longer sufficient. This includes one-time passcodes from authenticator apps like Google Authenticator or Duo, SMS codes, and push notification approvals. These methods share a common vulnerability: they can be intercepted or entered on a spoofed site, making them susceptible to the exact attacks Salesforce is trying to prevent.

Additionally, SSO alone does not guarantee compliance. If an organization uses an identity provider, that provider must pass a signal to Salesforce confirming that the user authenticated with a phishing-resistant method. Logging in through SSO with a password and standard TOTP code will not meet the requirement.

Salesforce recognizes three phishing-resistant MFA methods:

1. Built-in authenticators: Device-based methods such as Windows Hello, Apple Touch ID, Face ID, and Android passkeys. These are convenient but device-bound, meaning if a device is lost, account recovery is required.

2. Hardware security keys: Physical keys such as YubiKey that connect via USB, NFC, or Bluetooth. These are highly secure but require carrying additional hardware and managing backups.

3. Cloud-synced passkeys: Passkeys managed through a FIDO2-compliant password manager. Unlike device-bound methods, cloud-synced passkeys sync across all devices. Salesforce explicitly confirms that password managers including Bitwarden meet the phishing-resistant MFA requirement.

All three options listed above meet Salesforce's phishing-resistant MFA requirement. The difference comes down to practicality. Cloud-synced passkeys offer the security of phishing-resistant MFA with the most convenience. Because they are stored in an encrypted password manager vault and synced across devices, privileged users can authenticate from any device without relying on a single device or piece of hardware. For most organizations, cloud-synced passkeys are the most practical path to compliance.

Bitwarden is explicitly named by Salesforce as a qualifying cloud-synced passkey solution. Passkeys stored in Bitwarden are encrypted, synced across all devices, and ready to use wherever privileged users log in. For teams managing multiple users, Bitwarden enterprise controls make it straightforward to roll out passkeys org-wide, with SSO integration, directory sync, and detailed event logs to support compliance and auditing. An open source, independently audited password manager trusted by 80,000+ businesses, Bitwarden brings an additional layer of transparency and trust to passkey management.

With the July 1 deadline approaching, now is the time to act. Get started with a free business trial or contact sales to get privileged users compliant in time.