Salesforce has confirmed that mandatory multi-factor authentication enforcement will be activated for all production organizations beginning July 15, 2026, ending a two-year grace period during which the requirement was technically in effect but not actively enforced. After the enforcement date, users who have not enrolled in MFA will be prompted to register an authenticator upon login and will be unable to access the platform until enrollment is complete.
The enforcement applies to all direct user logins through the Salesforce UI, including partner and customer community users. SSO-authenticated users are exempt from Salesforce's native MFA requirement, provided their identity provider enforces its own MFA policy, which Salesforce recommends but cannot directly verify. The company is offering free Salesforce Authenticator app licenses and has expanded support for third-party authenticator apps, hardware security keys, and built-in biometric authenticators.
Administrators should begin preparing immediately by auditing their user base to identify accounts that have not yet enrolled in MFA, communicating the upcoming enforcement to all users, and establishing support procedures for users who encounter enrollment difficulties. Organizations with large user populations, particularly those with field workers or manufacturing floor users who may not carry smartphones, should evaluate hardware security key options and biometric alternatives well before the July deadline to avoid widespread login disruptions.
