loader

bypass Multi factor authentication for Salesforce User login

Requirement

Bypassing Multi-Factor Authentication (MFA) for Salesforce user login is not a recommended or standard practice because it compromises the security of your Salesforce environment. However, there may be specific scenarios – 

  • Such as integration users or
  • Certain types of automation, where MFA is not supported.
  • Sometimes Admin does not need this and they want to disable for some set of users.

Steps to disable MFA

  • Create Permission Set: Goto setup >> New Permission Set >> Give some good name.
  • Go to System Permission >> enable the permission “Waive Multi-Factor Authentication for Exempt Users“.
  • Assign this permission set to the User.

Best Practices and Options

Bypassing MFA entirely can create a security risk, exposing your system to unauthorized access and potential data breaches. Salesforce mandates MFA compliance as a security standard, and disabling it for user login is generally not advisable.

If you’re facing specific challenges with MFA, consider discussing them with Salesforce Support or your internal IT/security team to explore compliant and secure solutions.

  1. Use a Login Flow
    Configure a login flow to selectively bypass MFA based on user criteria like profiles, roles, or custom attributes. For example:

    • Integration users or system accounts might bypass MFA.
    • Regular users continue to require MFA.

  2. Session-Based Controls
    Once a user logs in and completes MFA, their session remains active based on the configured timeout period. This prevents MFA prompts for every login attempt within that session.

  3. Trusted IP Ranges
    Salesforce allows you to define Trusted IP Ranges for your organization. When users log in from these IP ranges, they may not be prompted for MFA:

    • Navigate to Setup > Network Access.
    • Add the IP ranges to mark them as trusted.

  4. Custom Policies
    Use Salesforce Shield or Custom Authentication Providers to tailor security policies. You can define when and where MFA is required.

  5. Integration Users
    Salesforce allows setting up Connected Apps for integrations. These apps can use OAuth tokens or other methods without requiring MFA for every API request.

Conclusion

Managing Salesforce’s daily need and enabling/disabling seem pretty easy but it still may affect security, best practices and other issues. We, at Tenetizer, takes care of the tenets of healthy org, security and best practices, reach us out for more details.

Talk to an Expert