Salesforce Authenticator: Complete Setup Guide | SalesforceTutorial

Written by Prasanth Kumar Published on Updated on

Salesforce Authenticator is a mobile app that provides two-factor authentication (2FA) for Salesforce logins. This security layer requires both your username/password and mobile device approval, preventing unauthorized access even if credentials are compromised. For Salesforce admins managing enterprise security and users protecting their accounts, Authenticator is essential for meeting modern security requirements.

Salesforce Authenticator integrates with Salesforce’s Identity Verification framework, supporting push notifications, location-based verification, and offline time-based one-time passwords (TOTP). The app works across all Salesforce clouds including Sales Cloud, Service Cloud, and custom applications built on the Salesforce platform.

Key Features of Salesforce Authenticator

Salesforce Authenticator provides several authentication methods designed for enterprise security:

  • Push Notifications: Real-time login approval requests sent directly to your mobile device with contextual information about the login attempt.
  • One-Tap Approval: Streamlined approval process that reduces login friction while maintaining security standards.
  • Location-Based Authentication: GPS-based verification that flags unusual login locations and provides geographic context for security decisions.
  • Offline TOTP Support: Time-based one-time passwords that work without internet connectivity, ensuring access during network outages.
  • Account Linking: Support for multiple Salesforce orgs and external applications using the same authenticator app.

How to Download Salesforce Authenticator

Setting up Salesforce Authenticator requires downloading the mobile app and configuring it within your Salesforce org. This process involves both user-side setup and admin configuration for enterprise deployments.

Step 1: Download the Mobile App

Salesforce Authenticator is available for iOS and Android devices through official app stores:

The app requires iOS 12.0+ or Android 6.0+ and approximately 50MB of storage space. Enterprise mobile device management (MDM) solutions can deploy the app automatically across managed devices.

Step 2: Install and Initialize the App

After downloading, install the app and complete the initial setup:

  1. Open Salesforce Authenticator on your mobile device
  2. Accept the terms of service and privacy policy
  3. Grant necessary permissions for push notifications and location services (optional)
  4. Set up device security (PIN, biometric, or pattern lock) if not already configured

Step 3: Configure Salesforce Authenticator in Your Org

Configuration requires Setup access in your Salesforce org. Follow these steps to enable Authenticator:

  1. Access Setup: Log in to Salesforce and click the gear icon, then select Setup
  2. Navigate to Identity Settings: In Quick Find, search for “Identity Verification” and select Identity Verification Settings
  3. Enable Two-Factor Authentication: Check the box for “Require identity verification during multi-factor authentication registration”
  4. Configure Authenticator Method: Under “Multi-Factor Authentication”, enable “Salesforce Authenticator” as an available method
  5. Set Verification Policies: Configure when 2FA is required (login, API access, report exports, etc.)

Step 4: Connect Your Account to Salesforce Authenticator

Individual users must link their accounts to the mobile app:

  1. Access Personal Settings: Click your profile picture and select Settings
  2. Find Authentication Apps: Navigate to Advanced User Details > Multi-Factor Authentication
  3. Add Authenticator: Click “Connect” next to Salesforce Authenticator
  4. Scan QR Code: Open the mobile app, tap “Add Account”, and scan the displayed QR code
  5. Verify Connection: Complete the test verification to confirm the setup

Using Salesforce Authenticator for Login

Once configured, Salesforce Authenticator activates during login attempts that trigger 2FA requirements:

  1. Enter Credentials: Log in with your username and password as normal
  2. Receive Push Notification: The mobile app displays a login approval request with session details
  3. Review Login Context: Check the location, device type, and timestamp before approving
  4. Approve or Deny: Tap “Approve” to grant access or “Deny” to block the attempt

Salesforce Authenticator Security Best Practices

For Salesforce admins implementing organization-wide security policies, consider these configuration recommendations:

Admin Configuration Best Practices

  • Mandatory 2FA: Require multi-factor authentication for all users, especially those with elevated privileges
  • Session Management: Configure appropriate session timeout values and restrict concurrent sessions
  • Network Access: Combine Authenticator with IP restrictions and trusted network policies
  • Backup Methods: Enable backup authentication methods (backup codes, hardware tokens) for device loss scenarios
  • Audit Trail: Monitor authentication logs through Setup > Login History and Event Monitoring

User Security Guidelines

  • Device Security: Enable device lock screens and biometric authentication where available
  • App Updates: Keep the Authenticator app updated to receive security patches
  • Suspicious Activity: Report unexpected authentication requests to your Salesforce administrator
  • Backup Preparation: Save backup verification codes in a secure location separate from your mobile device

Troubleshooting Common Salesforce Authenticator Issues

Common issues and their resolutions for both users and administrators:

Push Notifications Not Received

  • Verify push notification permissions are enabled for the Authenticator app
  • Check network connectivity and firewall settings
  • Restart the mobile app and attempt login again
  • Use backup verification codes if push notifications remain unavailable

QR Code Scanning Problems

  • Ensure adequate lighting and camera permissions
  • Clean the camera lens and hold the device steady
  • Try manual account setup using the provided activation code
  • Verify the QR code hasn’t expired (codes timeout after 10 minutes)

Account Synchronization Issues

  • Check that device time and timezone are correctly configured
  • Remove and re-add the account in the Authenticator app
  • Verify the Salesforce org allows the authentication method
  • Contact your administrator if organizational policies block the connection

Integration with Salesforce Security Features

Salesforce Authenticator works alongside other platform security capabilities:

  • Single Sign-On (SSO): Compatible with SAML-based SSO solutions for federated authentication
  • Login IP Ranges: Combines with network-based access controls for layered security
  • Platform Encryption: Protects data at rest while Authenticator secures access
  • Shield Platform Encryption: Enterprise-grade encryption that works with 2FA requirements
  • Event Monitoring: Provides detailed logs of authentication events for compliance and security analysis

Frequently Asked Questions

What happens if I lose my phone with Salesforce Authenticator?

Contact your Salesforce administrator immediately to disable 2FA on your account. Use backup verification codes if you saved them during setup. Administrators can temporarily disable multi-factor authentication requirements through Setup > Users > [Your User Record] > Reset Multi-Factor Authentication.

Can Salesforce Authenticator work offline?

Yes, Salesforce Authenticator supports offline TOTP (Time-based One-Time Password) generation. When push notifications aren’t available, tap “Use Verification Code” during login and enter the 6-digit code displayed in the app. The app generates codes based on device time, so ensure your phone’s clock is accurate.

How do I set up Salesforce Authenticator for multiple orgs?

The Authenticator app supports multiple Salesforce accounts. For each additional org, repeat the account linking process: access that org’s Identity Verification settings, generate a new QR code, and scan it with the mobile app. Each org appears as a separate account in the app with distinct approval workflows.

Is Salesforce Authenticator required for API access?

API access 2FA requirements depend on your org’s multi-factor authentication policies. Administrators can configure whether API calls, report exports, and data access require additional verification. Connected apps and OAuth flows may trigger Authenticator approval based on these settings.

What’s the difference between Salesforce Authenticator and other 2FA apps?

Salesforce Authenticator provides push notifications with contextual information (location, device type, login time) that generic TOTP apps cannot offer. It also integrates directly with Salesforce’s identity verification framework and supports offline code generation as a backup method.