Understanding and Enabling Multi-Factor Authentication (MFA)

Overview

Practifi is built on the Salesforce platform, and as your technology partner, we work diligently to ensure any Salesforce enhancements and changes are well understood in advance. Salesforce has announced their intention to make enabling multi-factor authentication (MFA) mandatory. Many Practifi clients have already enabled this feature as part of their security protocols to protect sensitive client information, maintain compliance standards, and safeguard firm operations.

If you are unsure whether this feature is enabled, this article outlines the future impacts on your users and security configurations.

• About MFA
• Upcoming Changes
  • What happens after MFA is auto-enabled
  • Grace period
  • After MFA enforcement
• Phishing-Resistant MFA for Privileged Users
  • When These Changes Take Effect
  • What Your Firm Should Do
• MFA Recommendations
• Enabling MFA in Your Practifi Organization
• Handling Lost or Replaced Devices

About MFA

MFA adds another layer of security to your login process by requiring users to enter two or more pieces of evidence—or factors—to prove they are who they say they are. The first factor is the username and password. The second factor is an authenticator app, which can be installed on a user’s mobile device.

For wealth management firms, MFA helps protect client portfolios, personal financial data, and confidential documents from unauthorized access while supporting regulatory compliance requirements.

Upcoming Changes

Salesforce began MFA enforcement in their May/June 2023 release. System Administrators in Practifi could disable MFA in Settings until that point, as only auto-enablement in MFA occurred in January and not MFA enforcement.

What happens after MFA is auto-enabled

After MFA is auto-enabled in your organization, users are prompted to provide a verification method in addition to their username and password each time they log into Practifi. Verification methods include authentication apps, security keys, and built-in authenticators like Windows Hello or Touch ID. If users haven't registered a method, they will be guided through the simple process at their next log-in.

Grace period

There is a 30-day grace period where users can skip registration and log in to Practifi without using MFA. The grace period begins on the day MFA is auto-enabled in your organization, and the same 30-day window applies to all users of the Practifi organization.

After MFA enforcement

When MFA enforcement occurs in Salesforce’s release, System Administrators will not be able to turn off the “Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org” setting. Users will receive an MFA challenge each time they log in directly with their username and password and must complete it. Users who weren’t already using MFA will be prompted to register for it when they log in and will not be able to access their Practifi account until they do so.

Phishing-Resistant MFA for Privileged Users

Salesforce is tightening its MFA requirements in two stages. The two stages are not the same requirement, and they apply to different groups of users.

Phishing-resistant MFA for privileged users. Privileged users, which includes anyone with the System Administrator profile or the Modify All Data, View All Data, Customize Application, or Author Apex permissions, must use a phishing-resistant verification method. Phishing-resistant methods are a security key, a passkey, or a built-in device authenticator such as Face ID, Touch ID, or Windows Hello. Authenticator apps and SMS codes do not meet this bar, even though they satisfy standard MFA. This requirement applies to both direct logins and single sign-on.

Standard MFA for all other users. Every remaining user must use at least standard MFA, which is any second factor. This includes the same authenticator apps that do not qualify as phishing-resistant. Standard MFA has been required since 2022, so for most firms, it is already in place.

When These Changes Take Effect

These changes apply to paid production and sandbox orgs only. Developer, trial, and scratch orgs are excluded. Salesforce has not published a per-org enforcement date, so treat each start date below as the point at which enforcement could begin at any time.

• Phishing-resistant MFA for privileged users: sandboxes from around June 22, 2026, and production from around July 1, 2026.
• Standard MFA for all remaining users: production from around July 20, 2026.

What Your Firm Should Do

Administrators should register a phishing-resistant method, such as a security key or passkey, before July 1, 2026. Verification methods are enabled at Setup > Identity Verification. All other users should confirm they have standard MFA in place before July 20, 2026.

If your firm runs multiple orgs or shares an administrator login, plan a per-person approach for admins rather than relying on a shared credential. Each privileged user needs their own registered phishing-resistant method.

For full details, see the Salesforce article Prepare for Phishing-Resistant MFA Enforcement for Privileged Users, Including Admins.

MFA Recommendations

There are many options for multi-factor authentication. You may already have a firm-wide approach that includes authenticator apps provided by Salesforce or third parties, physical keys, or authenticators built into your device’s operating system, such as Touch ID.

At this time, we highly recommend the Salesforce Authenticator App. The Salesforce Authenticator App is available for Android and iOS devices and offers the following benefits:

• End users can click Approve on the push notification instead of typing in the rotating code, reducing friction during client meetings and time-sensitive workflows.
• We believe this app is most likely to stay aligned and compatible with future authentication changes to the Salesforce platform.

Please note: Users are not required to use the Salesforce Authenticator app. Furthermore, not all users in your organization must use the same authenticator app. Authenticator requirements are left up to your firm’s discretion based on your security policies and compliance needs.

Enabling MFA in Your Practifi Organization

To enable MFA in your organization, Practifi Administrators can add the MFA Permission Set (Practifi - Login - Enforce two-factor authentication) to each user. For assistance with managing permission sets, please review our Adding and Removing User Permissions article.

This Salesforce Help article will guide you through the steps to enable multi-factor authentication (MFA) in your Practifi organization.

If you need assistance, contact us via the Practifi Success Portal, and our team will guide you through the implementation process to ensure a smooth rollout across your organization.

Handling Lost or Replaced Devices

If a user loses the device they use for MFA or gets a new device, it is recommended that they disconnect the previous verification method and then re-register. This ensures uninterrupted access to client information and firm systems.

Please refer to the Salesforce documentation on disconnecting and registering verification methods for step-by-step instructions.