Issue
Which verification methods satisfy the MFA requirement?
Resolution
Let's start with verification methods that do not satisfy the requirement. Whether you're using your SSO identity provider's MFA services or Salesforce's MFA for direct logins, delivering one-time passcodes via the following options is not allowed because these methods are inherently vulnerable to interception, spoofing, and other attacks.
- Email messages
- Text messages
- Phone calls
To satisfy the MFA requirement, you must use verification methods that are more resistant to cyberattacks (such as phishing and man-in-the-middle attacks). These types of methods help provide high assurance that users accessing Salesforce products are who they say they are.
-
For SSO - With the exception of the options listed above, use any method that is supported by, or integrated with, your identity provider's MFA solution.
-
For Heroku MFA - Use any of the methods that are supported by your Salesforce products' MFA functionality:
- Salesforce Authenticator mobile app (available on the App Store or Google Play Store)
- Time-based one-time passcode (TOTP) authenticator apps, like Google Authenticator, Microsoft Authenticator
- Security keys that support WebAuthn or U2F, such as Yubico's YubiKey or Google's Titan Security Key
- Built-in authenticators, such as Touch ID, Face ID, or Windows Hello
Refer to Multi-Factor Authentication (MFA) in Heroku Dev Center to see the benefits and considerations for each method.