Salesforce is making one thing clear: traditional authentication methods are no longer enough.
Beginning June 22, 2026, Salesforce is raising the security bar for employee logins by enforcing multi-factor authentication (MFA) in sandbox environments, followed by a phased rollout to production environments on July 1. For privileged users – including System Administrators and other users with elevated permissions – Salesforce will require phishing-resistant MFA methods such as security keys like the YubiKey and built-in authenticators that leverage FIDO2 and WebAuthn standards.
This is more than a routine security update. It reflects a broader industry shift: phishing-resistant authentication is becoming the standard for protecting privileged accounts and high-risk actions. It also underscores a larger trend toward stronger identity verification as organizations face increasingly sophisticated cyber threats, many which are accelerated by AI.
AI is making phishing attacks faster, more convincing, and easier to scale. Highly sophisticated social engineering campaigns can now trick even the careful users and bypass passwords and legacy MFA. Identity has become the primary attack surface for modern cybercriminals, with 86% of phishing attacks now being AI-driven.
Strong, phishing-resistant security is no longer a luxury reserved for a handful of specialized roles; every user logging into an enterprise system holds a piece of the attack surface.
Why Salesforce is making this change
Through this move, Salesforce is differentiating between traditional MFA, such as SMS codes, TOTP apps and push notifications – which are vulnerable to phishing, social engineering, or account recovery attacks – and phishing-resistant MFA. Hardware-backed security keys, like the YubiKey, offer stronger defense because they rely on cryptographic proof rather than shared secrets or one-time codes.
Phishing-resistant authentication is fundamentally different from legacy MFA. The private key stays on the physical device, and there is no software path for an attacker to extract or phish it remotely. The authentication process verifies both the user and the legitimate website before access occurs, which significantly reduces the risk of credential theft and account takeover.
Salesforce explicitly recognizes security keys and built-in authenticators as phishing-resistant methods for privileged users. Traditional authenticator applications do not meet these requirements for administrators and other high-privilege accounts.
Step-by-step guide: How to add YubiKeys to Salesforce accounts
As enforcement dates approach, organizations should begin preparing now to avoid disruptions. Recommended actions include:
- Identify users with privileged Salesforce permissions.
- Verify MFA configurations across both direct and SSO-based logins.
- Enable phishing-resistant authentication methods for administrators and power users.
- Register primary and backup authentication methods before enforcement begins.
- Review authentication policies to ensure compliance with Salesforce’s updated requirements.
Enabling your YubiKey on Salesforce accounts is quick and straightforward. Before you begin, ensure you have your physical YubiKey ready, then follow these steps:
- Log in to your Salesforce account.
- Click on your avatar in the upper-right corner and select Settings or Advanced User Details.
- Find the Registration: Security Key (U2F/WebAuthn) option and click Register.
- You may be prompted to log in again to verify your identity.
- Insert your YubiKey into an available USB port or hold your NFC-enabled near your mobile device.
- When the YubiKey’s edge light begins to flash, touch the copper sensor on the key to generate your device-bound credential.
- Enter a recognizable name for your security key, such as “Primary YubiKey,” and click Save.
As an industry best practice, register a secondary backup YubiKey and store it in a secure location to reduce the risk of account lockout.
For many organizations, Salesforce will be one of the first systems where phishing-resistant authentication becomes mandatory, but it likely won’t be the last. Organizations that act now will meet compliance requirements and be better positioned to protect their users, data, and business operations against the next generation of cyber threats.
Don’t wait for the July 1 deadline. Equip administrators and power users with the gold standard of phishing-resistant protection today.
——
For more information on integrating YubiKeys into Salesforce accounts, visit here. To learn more about how YubiKeys can secure your cross-platform enterprise environment, contact our team.
