top of page

Salesforce MFA (FIDO2 /U2F) admin operation steps

Describes how to set and operate MFA using a security key (FIDO2 / U2F).

2022/06/15 Article update

By supporting WebAuthn (FIDO2) in ​Salesforce, registration and authentication methods using FIDO2 compatible security keys have been added.

​How to set and initialize FIDO2 compatible keysherePlease refer to


By applying the Summer'22 version of Salesforce,Supports WebAuthn (FIDO2) security keysI came to This change allows users to register WebAuthn (FIDO2) or U2F security keys for identity verification. If you have keys previously registered as FIDO U2F, you may be prompted for an authentication sequence (PIN) as FIDO2 due to Summer'22 enforcement.

Environmental information

Device: Windows 10

​ Interface: Lightning Experience

Browser: Chrome

​ *Depending on the OS and browser you use, it may differ from the explanation image.

Configuring Salesforce MFA (FIDO2/U2F)

​​MFA settings areSystem AdministratorPlease operate with .

Setting up Salesforce MFA (FIDO2 / U2F) requires configuring identity verification, creating permission sets, and assigning users to permission sets. Please follow the steps below to configure the settings.

1. Configure identity verification

Configure settings so that users can verify their identities using security keys.

Enter "identity" in the quick search of the settings home and click on the "identity verification" item.
Then check "Allow users to verify their identities using a physical security key (U2F or WebAuthn)".


Finally, click the "Save" button at the bottom of the screen.


2. Create a permission set

Create permission sets to enable multi-factor authentication for users when logging in.

Enter Permission Sets in Quick Find on Setup Home, then click Permission Sets.

​ and click the New button.


Enter the permission set information.

(Display labels and API names are provided as examples.)

Label: Enable MFA Login 

API name: MFALogin

Description: (optional)


Finally, click the "Save" button.


Then click System Permissions at the bottom of the screen.


Click the "Edit" button at the top of the screen.


When the edit screen is displayed, check "Multi-factor authentication for user interface login" in the middle of the screen.


Go back to the top of the screen and click the "Save" button.


A confirmation modal will appear, click the Save button.


Permission set configuration is complete.

3. Permission set user assignments

Before assigning permission sets to users, you need to distribute security keys to each user.

Once you have assigned the ​ permission set to a user, that user will be required to register a security key the next time they log in.

Assign the permission set created in step 2 to the user.

Enter Permission Sets in Quick Find on Setup Home.
Click Permission Sets, then click the permission set you created in step 2.


Click the Manage Quotas button.


Click the Add Assignment button.


Check the users you want to assign the permission set to and click the "Assign" button.


Click the "Finish" button.


That's it for enabling MFA with security key (FIDO2/U2F) when logging in in Salesforce.

Please refer to the following for user security key registration and login method.

Salesforce MFA (U2F) の設定
ID 検証の設定

How to check the user's security key registration status

​Explains how administrators can check the registration status of a user's security key.

Enter "Users" in the Quick Find on the Settings Home.
Click "User" from the items and click the target user.


If [Delete] is displayed in the "Security Key (U2F or WebAuthn)" item at the bottom of the user screen, you can determine that the security key has been registered.


[Delete Security Key]​

By clicking [Delete] on the right side of the security key item, it is possible for the administrator to delete the user's security key. A user whose security key has been deleted will be required to register the security key the next time they log in.


How to register your own security key from the management screen

Operate as a user whose profile has user setting privileges.

(The system administrator can operate.)

Enter "Users" in the Quick Find on the Settings Home.
Click "User" from the items and click the target user.


Click [Register] in the [Security Key (U2F or WebAuthn)] item at the bottom of the user screen.


A confirmation code will be sent by email, so enter the confirmation code in the email and click the "Verify" button.


Transit to the security key registration page.

​Click the Register button.


After moving to the security key registration page, the "Security key setup" popup will automatically appear, so click the "OK" button.


Next, "Continue Setup" will be displayed, so click the "OK" button.


Insert the security key into the USB port.


After that, the registration sequence differs between FIDO2-compatible security keys and FIDO U2F-only security keys.

Here's a quick way to tell.

U2F: Just touch the security key to complete setup.

FIDO2: A PIN is required during setup.
​ *If a PIN is not set for the security key, the PIN setting screen will be displayed.

For registration with FIDO U2F security key

For security keys that only support FIDO U2F, no PIN is required, and setup is completed simply by touching the button or metal part of the security key.


For registration with FIDO2 security key

For FIDO2-compatible security keys, you will be prompted to enter a PIN.

​If a PIN has not been set for the security key, a screen for setting will be displayed. Please set a PIN.


Touch the button or metal part of the security key.


Finally, enter the security key name and click the "Save" button to complete the security key registration.

*For both FIDO2 / U2F, the flow is to set the security key name after completing the registration.


If you lose or forget your security key

Salesforce has a function that allows you to temporarily log in with a verification code instead of a security key by setting a "temporary verification code".

This operation must be performed by a system administrator.

​Also, when issuing a verification code, the security key must be set for the issuer himself. If the security key has not been set, the "How to register your own security key from the management screenPlease refer to ".

[Regarding loss of security key]

​ If you lose your security key,How to check the user's security key registration statusPlease delete the security key based on the deletion method described in the information. After deleting the security key, a confirmation code will be issued. Since the use of the confirmation code is a temporary measure, please distribute the new security key to the user as soon as possible and ask them to re-register.

How to set up a temporary verification code

Enter "Users" in the Quick Find on the Settings Home.
Click "User" from the items and click the target user.


Click [Generate] in the [Temporary verification code] item at the bottom of the user screen.


If a security key is required on the ID verification screen, please authenticate with FIDO.

*PIN is required for FIDO2 authentication.

Insert the security key into the USB port.


Touch Security Key. (Touch buttons or metal parts.)


Specify the time on the temporary code generation screen and click the "Generate code" button.


The confirmation code confirmation screen will be displayed, so make a note of the confirmation code and tell the user the confirmation code and expiration date.

(Be sure to write down the confirmation code as it will only be displayed once.)

Click the "Done" button to return to the home.


[If you want to invalidate the confirmation code]
You can disable it by clicking [Expire Now] in the [Temporary Verification Code] item from [Settings > User > Target User Selection].

[If you forget the confirmation code]
It is necessary to disable the "temporary verification code" from "Settings > User > Target user selection" and reissue it.

See below for how users log in with verification codes.

bottom of page