This post was written by Andy Szymas, a Solution Architect at Kicksaw. It was last updated on 11/23/21.

Intro

Salesforce is enforcing multi-factor authentication (MFA) for all instances on Feb 1, 2022. Kicksaw regularly receives requests for support from clients asking how to do this correctly. We're also getting called in on jobs where the wrong choices were made, resulting in broken integrations. This blog post will help you enable MFA in your org the right way, while keeping your external integrations from erroring.

Enabling MFA in Salesforce

There are two ways to set up MFA in Salesforce:

  1. Profile Settings
  2. Session Settings

If you search "how to enable mfa salesforce," the first result is from help.salesforce.com, and explains how to enable MFA via session security levels, which is not recommended due to the risk of breaking API integrations or connections.

This is a risk for clients who may show more initiative and decide to turn on MFA by themselves, without speaking with Kicksaw first, and it's why I've put together this quick write-up on the two methods.

Profile Settings (recommended)

You can set a profile setting either with a profile or with a permission set. If you set via a profile, all users with that profile will be required to use MFA. If you set via a permission set, you can manage which users get MFA and develop a rollout strategy.

To set this, open the profile (or permission set) and open the System Permissions. You can select the Multi-Factor Authentication for User Interface Login setting and mark it to True. Do not select the Multi-Factor Authentication for API Logins setting.

Session Settings (not recommended)

You can set the session settings with two steps:

In Setup ⇒ Session Settings, you can move Multi-Factor Authentication to the "High Assurance" category for Session Security Settings.

In Setup ⇒ Profile ⇒ Session Settings, you can set a profile to require high-assurance settings when logging in.

This is not recommended because it can break API use and logins. Contrary to the Profile Settings method described above, this will require MFA on all logins, including for accounts used for an API Integration or Connected App.

Dedicated Integration Users

Salesforce will not require MFA for API Only users, so if you use a dedicated API User, these steps won't be relevant.

TL:DR

If you're setting up MFA for a client, we recommend using the System Permissions rather than the Session Settings. If a client's API integration suddenly starts failing (with an error such as "Response content: [{'message': 'This session is not valid for use with the REST API', 'errorCode': 'INVALID_SESSION_ID'}]" or similar), verify if the session settings have changed.

Explore another topic:

Contact Us

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form