Salesforce MFA backup
CTA (Call to Action)
- Setup a 2nd method to authenticate your Salesforce login.
- Setup a 2nd admin user account for yourself.
Background
Is it important to have 2 multi-factor options? Yes. I was lucky.
We changed our domain name, and the instructions suggested having a 2nd MFA option. I didn't think much of it, but I do have users that use something other than Salesforce Authenticator. I thought it was a good opportunity to see how it works, so I setup Microsoft's Authenticator as a backup to the Salesforce Authenticator.
My iPhone has 2 copies of the Salesforce Authenticator, and I thought I'd removed one. When I did, both copies disappeared. I went to add it back, and all the accounts are gone. As an admin, I had several, and I'll need some help getting back into all my environments. I am lucky that production has a backup, a second method. I was able to use Microsoft's Authenticator and get in to production. I co-worker is on vacation this week. This could have been embarrassing.
Update: I was experimenting and added a permission set to my username without investigating the permission set's contents. I just assume from the name. The permission set contained 'API Only', and I was locked out. This is why I would add a second admin username for myself, especially if I was a solo admin.
Two is one, and one is none. :)
How to add back Salesforce MFA?
- Get logged in with your backup method.
- Disconnect the old Salesforce MFA connection. This is in your user details in Salesforce. The phone is waiting to "Add an Account". Warning: careful to click disconnect from Salesforce Authenticator.
- Log out, so you can attempt to log in again and trigger the chance to add Salesforce Authenticator. You can't add one if one is already in place. That's why you had to disconnect in step 2. Same idea is you get a new phone.
- When I logged out and back in, Salesforce page just asked for a code from an app. I assume web browser cookies are telling Salesforce how I logged in last time. I closed the page. I'm trying again.
- Didn't help. I'm going to try incognito.
- I guess I was wrong. Even with Incognito mode, I am forced to enter a code from the backup authenticator app.
- When I logged out and back in, Salesforce page just asked for a code from an app. I assume web browser cookies are telling Salesforce how I logged in last time. I closed the page. I'm trying again.
- Step 3 wasn't the right approach. I'm clicking on "connect" Salesforce Authenticator link in user details.
- I was forced to authenticate with a code from the 2nd method again.
- FYI, Microsoft Authenticator didn't automatically refresh the code when I had click on the account. I had to back out and then it worked.
- Once I verified with the backup method, I was allowed to enter the two word phrase from the phone app, Salesforce Authenticator.
- I was forced to authenticate with a code from the 2nd method again.