惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Schneier on Security
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Attack and Defense Labs
Attack and Defense Labs
H
Hacker News: Front Page
Google DeepMind News
Google DeepMind News
雷峰网
雷峰网
C
CXSECURITY Database RSS Feed - CXSecurity.com
Cisco Talos Blog
Cisco Talos Blog
T
Tenable Blog
G
Google Developers Blog
A
About on SuperTechFans
The Cloudflare Blog
S
Securelist
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
H
Hackread – Cybersecurity News, Data Breaches, AI and More
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
Forbes - Security
Forbes - Security
腾讯CDC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
V
Vulnerabilities – Threatpost
IT之家
IT之家
博客园_首页
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
Project Zero
Project Zero
月光博客
月光博客
NISL@THU
NISL@THU
爱范儿
爱范儿
S
Secure Thoughts
K
Kaspersky official blog
Security Latest
Security Latest
T
Tailwind CSS Blog
博客园 - Franky
D
Darknet – Hacking Tools, Hacker News & Cyber Security
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
B
Blog RSS Feed
S
SegmentFault 最新的问题
H
Help Net Security
T
Tor Project blog
L
LINUX DO - 热门话题
S
Security @ Cisco Blogs
N
News and Events Feed by Topic
O
OpenAI News
S
Schneier on Security

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Salesforce
Lei Hung, Ryan Crowe · 2026-07-02 · via The Duo Blog

Industry News

Phishing-resistant MFA for Salesforce

Headshot of Lei Hung, Product Manager Headshot of Ryan Crowe

4 minute read

Set the stage

For years, multi-factor authentication has been the baseline for protecting accounts, but not all MFA is created equal. Attackers have grown adept at phishing their way past weaker methods like SMS, phone calls or one-time passcodes, tricking users into handing over the very factors meant to keep them safe. In response, Duo continues to invest in phishing resistant authentication like passkeys and Duo Mobile Proximity Verification to make sure our customers are able to widely adopt these methods and better protect your organizations.

Phishing-resistant authentication is moving from a best practice to a hard requirement for many, starting with the accounts that matter most: your administrators and privileged users.

What's going on

Salesforce is now one of those platforms. Beginning July 20, 2026 Salesforce requires phishing-resistant MFA for all privileged users in production, including anyone with the System Administrator profile or permissions like Modify All Data, View All Data, Customize Application, or Author Apex. This applies whether those users log in directly to Salesforce or through a single sign-on (SSO) provider.

Note: Duo’s Microsoft integration using Azure Conditional Access Custom Control does not provide Authentication Method Reference (AMR) signals required during authentication by design. Please make sure to migrate your privileged users to the new Duo Entra ID External MFA integration or Duo SSO for Salesforce as soon as possible to avoid user lockout.

In practice, this means the methods many admins rely on may no longer get them in the door. Legacy factors like SMS passcodes, phone callbacks, and one-time passcodes don't meet the bar for phishing resistance, and users relying on them will be prompted to enroll a stronger method. For organizations logging in through an identity provider, Salesforce doesn't dictate the specific tool. Instead, it looks for a signal from the IdP confirming that a phishing-resistant authentication took place. The takeaway for admins is simple: the era of "any MFA will do" is over, and it's time to make sure your privileged users are authenticating with phishing-resistant methods.

What this means (how Duo can help)

The good news: meeting Salesforce's bar doesn't require ripping out everything. Duo offers two phishing-resistant options that you can roll out side by side, depending on what fits your users.

Passkeys (platform and roaming authenticator) are the industry standard for phishing-resistant authentication, built on the open FIDO2/WebAuthn specification. What makes them phishing-resistant is simple: a passkey registered for Salesforce only works for Salesforce. If a user lands on a malicious login page, the passkey just won’t work there.

Duo Mobile Proximity Verification is our proprietary solution on phishing-resistant authentication, designed for organizations that heavily depend on Duo Mobile, and love the user experience! With Duo Desktop doing origin binding and Bluetooth handshake between the Duo Desktop and Duo Mobile confirming the user has access to both devices, Duo Mobile Proximity Verification protects users from common phishing attacks such as social engineering and attacker-in-the-middle style attacks.

Both methods are governed through Duo's authentication methods policy, so enabling phishing-resistant auth for your Salesforce admins is a group policy change, not a project. Scope it to your privileged-access group, set the allowed factors, and the policy does the rest. Users keep the Duo experience they already trust; you get a clean signal back to Salesforce that a phishing-resistant authentication took place without disrupting your admins' workflow.

Conclusion

The July 20, 2026 deadline is a forcing function, but it doesn't have to be a fire drill. Salesforce is asking for a stronger signal at the front door for your most sensitive users, and Duo is built to deliver exactly that signal, without massive undertaking.

Whether your organization standardizes on passkeys, leans on Duo Mobile Proximity Verification, or deploys both across different user populations, Duo gives you the policy controls to roll out phishing-resistant MFA at the pace your business can absorb. Group-based policies mean you can start with your System Administrators and expand coverage to other privileged roles over time - all from the same Duo Admin Panel your team already operates in.

This is the partnership we want to be for our customers: helping you stay ahead of mandates like Salesforce's while protecting the user experience that keeps adoption high and helpdesk tickets low. Phishing resistance shouldn't come at the cost of usability, and with Duo, it doesn't have to.

Experience Duo's seamless authentication with a quick interactive Proximity Verification product tour, or get started adding phishing resistance with a 30-day free trial.