
























Salesforce is making one thing clear: traditional authentication methods are no longer enough.
Beginning June 22, 2026, Salesforce is raising the security bar for employee logins by enforcing multi-factor authentication (MFA) in sandbox environments, followed by a phased rollout to production environments on July 1. For privileged users – including System Administrators and other users with elevated permissions – Salesforce will require phishing-resistant MFA methods such as security keys like the YubiKey and built-in authenticators that leverage FIDO2 and WebAuthn standards.
This is more than a routine security update. It reflects a broader industry shift: phishing-resistant authentication is becoming the standard for protecting privileged accounts and high-risk actions. It also underscores a larger trend toward stronger identity verification as organizations face increasingly sophisticated cyber threats, many which are accelerated by AI.
AI is making phishing attacks faster, more convincing, and easier to scale. Highly sophisticated social engineering campaigns can now trick even the careful users and bypass passwords and legacy MFA. Identity has become the primary attack surface for modern cybercriminals, with 86% of phishing attacks now being AI-driven.
Strong, phishing-resistant security is no longer a luxury reserved for a handful of specialized roles; every user logging into an enterprise system holds a piece of the attack surface.
Through this move, Salesforce is differentiating between traditional MFA, such as SMS codes, TOTP apps and push notifications – which are vulnerable to phishing, social engineering, or account recovery attacks – and phishing-resistant MFA. Hardware-backed security keys, like the YubiKey, offer stronger defense because they rely on cryptographic proof rather than shared secrets or one-time codes.
Phishing-resistant authentication is fundamentally different from legacy MFA. The private key stays on the physical device, and there is no software path for an attacker to extract or phish it remotely. The authentication process verifies both the user and the legitimate website before access occurs, which significantly reduces the risk of credential theft and account takeover.
Salesforce explicitly recognizes security keys and built-in authenticators as phishing-resistant methods for privileged users. Traditional authenticator applications do not meet these requirements for administrators and other high-privilege accounts.
As enforcement dates approach, organizations should begin preparing now to avoid disruptions. Recommended actions include:
Enabling your YubiKey on Salesforce accounts is quick and straightforward. Before you begin, ensure you have your physical YubiKey ready, then follow these steps:
As an industry best practice, register a secondary backup YubiKey and store it in a secure location to reduce the risk of account lockout.
For many organizations, Salesforce will be one of the first systems where phishing-resistant authentication becomes mandatory, but it likely won’t be the last. Organizations that act now will meet compliance requirements and be better positioned to protect their users, data, and business operations against the next generation of cyber threats.
Don’t wait for the July 1 deadline. Equip administrators and power users with the gold standard of phishing-resistant protection today.
——
For more information on integrating YubiKeys into Salesforce accounts, visit here. To learn more about how YubiKeys can secure your cross-platform enterprise environment, contact our team.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。