June 30, 2026
Salesforce’s New Passkey Requirement (2026 Guide for Admins & Developers)
The other day, I came across Salesforce’s announcement about Phishing-Resistant Multi-Factor Authentication (MFA).
By Vaishnavi Mandloi
2 min read
My first thought was:
"Wait… we already use Salesforce Authenticator. Why is Salesforce changing the login process again?" 🤔
If you're a Salesforce Admin or Developer, you might have the same question.
So, I spent some time understanding the new policy, experimenting with different authentication methods, and learning how Passkeys actually work.
Here's a simplified explanation of what I learned.
🚨 What's Changing?
Salesforce is introducing Phishing-Resistant MFA for privileged. The enforcement timeline is:
- June 22, 2026 — Sandbox Environments
- July 1, 2026 — Production Environments
This means users with high-level permissions will no longer be able to rely solely on traditional authenticator apps like Salesforce Authenticator, Google Authenticator, or Microsoft Authenticator. Although these are much safer than using only a password, attackers have become increasingly successful at phishing users into revealing these verification codes.
To address this, Salesforce is moving to Passkeys, which are based on the FIDO2/WebAuthn standard and are significantly more resistant to phishing attacks.
👩💻 Who Is Affected?
The policy applies to users with privileged permissions, including:
- System Administrator
- Author Apex
- Customize Application
- Modify All Data
- View All Data
If your user has any of these permissions, it's worth preparing before Salesforce begins enforcement.
🔐 What Is a Passkey?
A Passkey replaces one-time verification codes with cryptographic authentication.
Instead of entering an OTP, you simply verify your identity using:
- Fingerprint
- Device PIN
- Security Key
- Password Manager
The private authentication key never leaves your trusted device, making Passkeys much harder to steal than passwords or OTP codes.
What Authentication Options Do We Have?
Salesforce supports multiple phishing-resistant authentication methods.
Examples include:
- Windows Hello
- Password Managers (Google Password Manager, Bitwarden, 1Password, Apple Passwords, LastPass, Zoho Vault, etc.)
- Hardware Security Keys (YubiKey, etc.)
- Enterprise Single Sign-On (SSO: Okta, etc.)
The best option depends on how you work and your organization's security requirements.
Google Password Manager & QR Authentication
One option I found particularly interesting is Google Password Manager, since it's already built into Chrome and Android.
When registering your Salesforce Passkey, you can choose Google Password Manager as the storage location.
One feature I really liked is QR-based authentication.
Suppose you're trying to log into Salesforce from another computer where your Passkey isn't available.
Instead of creating another Passkey, you can:
- Open the Salesforce login page.
- Select Use a Passkey.
- Chrome displays a QR code.
- Scan the QR code using your Android phone where the Passkey is stored in Google Password Manager.
- Verify using your fingerprint, face recognition, or device PIN.
- Salesforce completes the login.
It's a simple and convenient authentication experience.
My Key Takeaways
After exploring this new authentication model, here are my biggest takeaways:
- ✅ Passkeys are replacing traditional OTP-based authentication for privileged Salesforce users.
- ✅ Windows Hello is a great option if you primarily work from one device.
- ✅ Password Managers are ideal if you regularly switch between trusted devices.
- ✅ It's better to configure and test your preferred authentication method before Salesforce begins enforcement.
References
Prepare for Phishing-Resistant MFA Enforcement for Privileged Users including Admins
FIDO Alliance Passkeys
Google Password Manager & Passkeys