Prepare for Summer 2026 Salesforce Changes: Phishing-Resistant MFA and SSO
Disclaimer: These recommendations are based on the information we have at the time of publication and could change pending any adjustments to the security updates that Salesforce might make.
What is changing?
Starting in June 2026, Salesforce will require all users to set up additional authentication. In addition, admins and users with elevated access will be required to set up a stronger type of authentication to continue logging in to their Sandbox and Production Orgs.
Who is impacted?
Users with any of the following will require Phishing-Resistant MFA (Multi-Factor Authentication):
- Profile: System Administrator
- Object and field level security: Modify All Data or View All Data
- System settings: Customize Application or Author Apex
- Report and dashboard viewing or exporting *
*Step-Up Authentication is utilized for report and dashboard viewing and/or exporting. This authentication is required at maximum every 2 hours and at minimum every 2 minutes. Even after logging in using Phishing-Resistant MFA, users will be required to authenticate again (using their Phishing-Resistant MFA) when viewing or exporting reports or dashboards.
Why is this happening?
Salesforce is increasing security for the average user, requiring Time-Based One-Time Passwords (TOTP) to be enforced across all orgs. For users who can access potentially sensitive data, Salesforce requires additional security that verifies the user access is tied to the correct individual, which Phishing-Resistant MFA provides.
What’s the solution?
Passkeys are set up on a device or password manager and offer a unique combination of user/device authentication that can be used to login without requiring any entry from the user. This tightens security and makes social engineering attacks much more difficult.
Alternatively, users can utilize a password manager to configure “Security Keys” within Salesforce. The security key will be tied to your device, so selecting a tool that can be used on multiple devices will smooth transitions as laptops, computers, or phones are replaced.
When is this happening?
Requirements for Phishing-Resistant MFA go into effect in Sandbox Orgs beginning June 22nd and will impact Production Orgs by July 1st.
Recommended Actions:
Move Passwords to an app that supports passkeys and configure your passkeys in those apps before the end of June to avoid being locked out of Salesforce. Examples of apps that support passkeys or Time-Based One-Time Passwords (TOTP):
- Google Password Manager (in Chrome)
- iCloud Keychain (in Apple ecosystem)
- Password Managers like 1Password, Bitwarden, Dashlane, Nordpass, etc.
Only using a Username/Password to login to Salesforce?
You need to set up some form of additional authentication, either using an authenticator app that supports Time-Based One-Time Passwords (TOTP) or the Salesforce Authenticator. Receiving a text message or an email with a verification code is no longer sufficient.
Currently using SSO?
Salesforce is also requiring additional SSO verification. Ensure that your Identity Provider (IdP) is configured to pass a “proof of MFA” claim (such as AMR/ACR in OIDC or authnmethodreferences in SAML) to Salesforce. This may not be configured “out of the box” and might require some additional changes from your IT team.
This means that after logging in to your SSO provider, some additional form of authentication is required, either a one-time passcode, a device notification to approve your login, biometrics, or a passkey. If this is not currently in place when you login using SSO, you need to reach out to your IT team to explore your options. SIG is available to help as well!
MFA Login changes will impact all users, whether you utilize SSO or only Username/Password. MFA requirements for general users will go into effect in Sandbox Orgs beginning June 22nd, July 20th for Production Orgs, and both will be fully required by August 19th. Please note: These deadlines are in addition to the Phishing-Resistant MFA deadlines noted above.
Does your institution need help?
Unless this requirement is addressed now, institutions that leverage Salesforce risk significant operational disruption. If you and your team need help addressing this requirement, SIG is here for you.
SIG is offering a 5-hour engagement to address the need for MFA Phishing Resistant requirements and to ensure there’s no disruption to your Salesforce environment.
If you’re interested in learning more about this specific support ordering, or our other services, please reach out to us.
Related Insights
Insights
Slate Success Starts with Governance
Most institutions think the hardest part of a Slate project is implementation. It isn’t. The hardest part is deciding what you’re actually willing to change before anything is built. That work starts in discovery, the point where institutions are forced to confront how decisions are made, who owns outcomes, and whether alignment is real...
Insights
Slate and Financial Aid
Financial aid doesn’t have to be fragmented. Learn how to create a more transparent, efficient, and student-centered experience by managing financial aid in Slate.
Insights
Top Higher Ed Trends of 2026…So Far
As Ellucian Live approaches, SIG’s experts weigh in on what trends they’ve been observing among clients in the first quarter of 2026.