MFA Verification Methods


Which verification methods satisfy the MFA requirement?


Let's start with verification methods that do not satisfy the requirement. Whether you're using your SSO identity provider's MFA services or Salesforce's MFA for direct logins, delivering one-time passcodes via the following options is not allowed because these methods are inherently vulnerable to interception, spoofing, and other attacks.

  • Email messages
  • Text messages
  • Phone calls

To satisfy the MFA requirement, you must use verification methods that are more resistant to cyberattacks (such as phishing and man-in-the-middle attacks). These types of methods help provide high assurance that users accessing Salesforce products are who they say they are.

  • For SSO - With the exception of the options listed above, use any method that is supported by, or integrated with, your identity provider's MFA solution.

  • For Heroku MFA - Use any of the methods that are supported by your Salesforce products' MFA functionality:

    • Salesforce Authenticator mobile app (available on the App Store or Google Play Store)
    • Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator, Microsoft Authenticator
    • Security keys that support WebAuthn or U2F, such as Yubico's YubiKey or Google's Titan Security Key
    • Built-in authenticators, such as Touch ID, Face ID, or Windows Hello

Refer to Multi-Factor Authentication (MFA) in Heroku Dev Center to see the benefits and considerations for each method.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support