惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
W
WeLiveSecurity
Cyberwarzone
Cyberwarzone
H
Help Net Security
Spread Privacy
Spread Privacy
Jina AI
Jina AI
G
GRAHAM CLULEY
Project Zero
Project Zero
aimingoo的专栏
aimingoo的专栏
P
Palo Alto Networks Blog
云风的 BLOG
云风的 BLOG
B
Blog RSS Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
A
Arctic Wolf
L
LangChain Blog
T
The Blog of Author Tim Ferriss
MongoDB | Blog
MongoDB | Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
罗磊的独立博客
量子位
Microsoft Security Blog
Microsoft Security Blog
The Register - Security
The Register - Security
B
Blog
Microsoft Azure Blog
Microsoft Azure Blog
G
Google Developers Blog
小众软件
小众软件
Vercel News
Vercel News
V
Visual Studio Blog
IT之家
IT之家
C
Cisco Blogs
博客园 - 聂微东
Cisco Talos Blog
Cisco Talos Blog
Help Net Security
Help Net Security
S
Schneier on Security
PCI Perspectives
PCI Perspectives
C
Check Point Blog
V
Vulnerabilities – Threatpost
J
Java Code Geeks
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
GbyAI
GbyAI
N
News and Events Feed by Topic
AWS News Blog
AWS News Blog
L
LINUX DO - 热门话题
SecWiki News
SecWiki News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tenable Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recorded Future
Recorded Future

The Duo Blog

Identity orchestration & cloud-native IAM: Time to rethink | Cisco Duo Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer
Salesforce
Lei Hung, Ryan Crowe · 2026-07-02 · via The Duo Blog

Industry News

Phishing-resistant MFA for Salesforce

Headshot of Lei Hung, Product Manager Headshot of Ryan Crowe

4 minute read

Set the stage

For years, multi-factor authentication has been the baseline for protecting accounts, but not all MFA is created equal. Attackers have grown adept at phishing their way past weaker methods like SMS, phone calls or one-time passcodes, tricking users into handing over the very factors meant to keep them safe. In response, Duo continues to invest in phishing resistant authentication like passkeys and Duo Mobile Proximity Verification to make sure our customers are able to widely adopt these methods and better protect your organizations.

Phishing-resistant authentication is moving from a best practice to a hard requirement for many, starting with the accounts that matter most: your administrators and privileged users.

What's going on

Salesforce is now one of those platforms. Beginning July 20, 2026 Salesforce requires phishing-resistant MFA for all privileged users in production, including anyone with the System Administrator profile or permissions like Modify All Data, View All Data, Customize Application, or Author Apex. This applies whether those users log in directly to Salesforce or through a single sign-on (SSO) provider.

Note: Duo’s Microsoft integration using Azure Conditional Access Custom Control does not provide Authentication Method Reference (AMR) signals required during authentication by design. Please make sure to migrate your privileged users to the new Duo Entra ID External MFA integration or Duo SSO for Salesforce as soon as possible to avoid user lockout.

In practice, this means the methods many admins rely on may no longer get them in the door. Legacy factors like SMS passcodes, phone callbacks, and one-time passcodes don't meet the bar for phishing resistance, and users relying on them will be prompted to enroll a stronger method. For organizations logging in through an identity provider, Salesforce doesn't dictate the specific tool. Instead, it looks for a signal from the IdP confirming that a phishing-resistant authentication took place. The takeaway for admins is simple: the era of "any MFA will do" is over, and it's time to make sure your privileged users are authenticating with phishing-resistant methods.

What this means (how Duo can help)

The good news: meeting Salesforce's bar doesn't require ripping out everything. Duo offers two phishing-resistant options that you can roll out side by side, depending on what fits your users.

Passkeys (platform and roaming authenticator) are the industry standard for phishing-resistant authentication, built on the open FIDO2/WebAuthn specification. What makes them phishing-resistant is simple: a passkey registered for Salesforce only works for Salesforce. If a user lands on a malicious login page, the passkey just won’t work there.

Duo Mobile Proximity Verification is our proprietary solution on phishing-resistant authentication, designed for organizations that heavily depend on Duo Mobile, and love the user experience! With Duo Desktop doing origin binding and Bluetooth handshake between the Duo Desktop and Duo Mobile confirming the user has access to both devices, Duo Mobile Proximity Verification protects users from common phishing attacks such as social engineering and attacker-in-the-middle style attacks.

Both methods are governed through Duo's authentication methods policy, so enabling phishing-resistant auth for your Salesforce admins is a group policy change, not a project. Scope it to your privileged-access group, set the allowed factors, and the policy does the rest. Users keep the Duo experience they already trust; you get a clean signal back to Salesforce that a phishing-resistant authentication took place without disrupting your admins' workflow.

Conclusion

The July 20, 2026 deadline is a forcing function, but it doesn't have to be a fire drill. Salesforce is asking for a stronger signal at the front door for your most sensitive users, and Duo is built to deliver exactly that signal, without massive undertaking.

Whether your organization standardizes on passkeys, leans on Duo Mobile Proximity Verification, or deploys both across different user populations, Duo gives you the policy controls to roll out phishing-resistant MFA at the pace your business can absorb. Group-based policies mean you can start with your System Administrators and expand coverage to other privileged roles over time - all from the same Duo Admin Panel your team already operates in.

This is the partnership we want to be for our customers: helping you stay ahead of mandates like Salesforce's while protecting the user experience that keeps adoption high and helpdesk tickets low. Phishing resistance shouldn't come at the cost of usability, and with Duo, it doesn't have to.

Experience Duo's seamless authentication with a quick interactive Proximity Verification product tour, or get started adding phishing resistance with a 30-day free trial.