Salesforce is rolling out Multi-Factor Authentication (MFA) enforcement across production and sandbox environments beginning in June and July 2026. While the change is designed to strengthen account security, it could also affect how Salesforce UI test automation authenticates during execution.
For teams that rely on automated Salesforce testing, now is a good time to review authentication workflows before enforcement reaches production environments.
In today’s blog, we’re diving into Salesforce MFA enforcement — what it means for QA teams, where automation may be affected, and several steps that can help prepare your testing environment.
Understanding Salesforce MFA Enforcement
Salesforce is introducing mandatory MFA enforcement as part of its ongoing effort to strengthen account security and reduce the risk of credential-based attacks.
The rollout occurs in two phases.
Wave 1: Phishing-Resistant MFA for Privileged Users
Users with elevated permissions, including System Administrators and users with permissions such as Modify All Data, View All Data, Customize Application, or Author Apex, will be required to use phishing-resistant MFA.
Supported authentication methods include passkeys, biometric authenticators, and hardware security keys.
Current enforcement schedule:
- Sandbox: June 22, 2026
- Production: July 1, 2026
Wave 2: Standard MFA for Employee Users
Salesforce will then extend MFA enforcement to all remaining internal employee users. Users who have not enrolled an MFA method will be prompted to register one during login.
Current enforcement schedule:
- Sandbox: June 22, 2026
- Production: July 20, 2026
Salesforce’s MFA enforcement schedule is subject to change. Refer to Salesforce documentation for the latest updates.
How MFA May Affect Salesforce Test Automation
Salesforce MFA enforcement won’t affect every organization in the same way.
Teams using API-only integrations generally won’t be affected by MFA enforcement. However, organizations that perform UI-based Salesforce testing using interactive username and password authentication should review how those tests log in.
The greatest impact is often seen when automation users also hold privileged Salesforce permissions. Many organizations assign elevated permissions to simplify test setup and execution, making those users subject to the first phase of enforcement.
UI tests that authenticate with only a username and password may encounter an MFA verification prompt instead of the expected Salesforce landing page. Within a CI/CD pipeline, these failures can resemble application or selector issues even though the underlying cause is authentication.
Reviewing authentication workflows before enforcement begins can help reduce unexpected interruptions during automated test execution.
Preparing Your Automation Environment
A few proactive steps can help teams prepare for Salesforce MFA enforcement.
Review Automation Users
Start by identifying every Salesforce account used by automated testing.
Review assigned profiles and permissions to determine whether any automation users fall under the phishing-resistant MFA requirements.
Evaluate Authentication Workflows
Document where your automation performs interactive Salesforce logins and identify any authentication flows that rely solely on usernames and passwords.
This is also a good opportunity to review OAuth and connected app configurations used across your automation environment.
Validate Single Sign-On Configuration
Organizations using SSO should verify that their identity provider is sending the appropriate authentication signals to Salesforce.
Testing these authentication flows in a sandbox environment before production enforcement can help identify configuration issues early.
Authentication Options for Salesforce Test Automation
Salesforce MFA enforcement doesn’t require teams to abandon automation. But it does require authentication methods that align with Salesforce’s updated security model.
Provar supports several authentication approaches that help organizations remain compliant while maintaining reliable automated test execution, including:
- OAuth Web(Hybrid) or JWT (Server to Server)
- Username/password authentication with runtime TOTP support
- Single Sign-On with MFA
The most appropriate option depends on your organization’s identity architecture, security policies, and operational requirements. OAuth JWT is often a strong fit and our recommended option for headless CI/CD environments, but organizations should choose the approach that best aligns with their existing authentication strategy.
Preparing for Salesforce MFA Enforcement
Salesforce MFA enforcement introduces new considerations for organizations that automate Salesforce testing. Reviewing authentication workflows before enforcement begins can help reduce unexpected issues during deployment and support more reliable automated test execution.
If you’re evaluating authentication options or preparing your automation environment for Salesforce MFA enforcement, Provar can help you assess your current approach and identify an authentication strategy that supports secure, reliable Salesforce testing.
Book a demo with the Provar team today.
