Salesforce has set February 1, 2022, as the start date for enforcing Salesforce multi-factor authentication (MFA) compliance. Here’s a quick read and some resources to help ensure your Provar test automation is ready.

Just The Essentials of Salesforce Multi-Factor Authentication

  • MFA is not required for testing applications
  • Enforcement will follow a phased implementation schedule
    • Notices and License Information (NLI) compliance (February 1, 2022) 
    • New org default MFA with admin disable capability (between Sep and Oct 2022)
    • Admin disable ends (between May and June 2023)
  • MFA is not required for sandboxes (except B2C Commerce Cloud) or scratch orgs (in the FAQ, scroll down to the MFA Requirements for User Types table)
  • Mandatory for compliance: Ensure you have Provar-dedicated user accounts (not used for anything else).

Salesforce continues to work out how MFA-exempt user types will be excluded from auto-enablement and enforcement. Provar is watching this closely and will provide updates as soon as the information is available.


  • If MFA is enabled for production, new and refreshed sandboxes will also have MFA enabled. Check here for more about how to manage MFA for sandboxes.

Planning For MFA With the Salesforce MFA Roadmap

February 1, 2022 – NLI compliance

“Starting February 1, 2022, Salesforce will begin requiring customers to enable Multi-Factor Authentication (MFA) for all Covered Services, unless otherwise approved by Salesforce by Salesforce internal policies and procedures.”

Accounts for test automation tools don’t require MFA (per the MFA FAQ). To comply, you must ensure Provar Salesforce connections are set up with only user accounts for Provar. This applies to both the primary admin-level connections and any logon-as connection.

Between September and October 2022 – Auto Enable

Starting Fall 2022, Salesforce will automatically enable MFA for all users who log in directly to a Salesforce product’s UI. Until the enforcement phase, admins will be able to disable MFA temporarily.

Between May and June 2023 – The enforcement

When Salesforce enforces MFA for a Salesforce product, it becomes a permanent part of its login process. During the enforcement, Salesforce auto-enables MFA for all users who aren’t already using it for direct logins. At the same time, Salesforce removes the option for all customer users, including admins, to disable MFA.

How Will Salesforce Implement MFA Exclusions?

Salesforce is still working out the specifics of implementing exclusions. Provar is tracking this closely and will let you know when Salesforce publishes additional information. Here’s the specific language from the FAQ:

How will Salesforce exclude MFA-exempt user types from auto-enablement and enforcement?

Several user types, including API/integration, automated testing, and RPA accounts, aren’t required to use MFA. We’re working on how customers can exclude these users from future auto-enablement and enforcement milestones. We’ll update this FAQ and your products’ documentation when more information is available.

Where To Get More Information

Provar is the only solution engineered from the ground up for Salesforce. Take a product tour today.