Use this link to share with your colleagues:
Multi-Factor Authentication (MFA) for Admins: https://help.patronmanager.com/a/2085010
PatronManager houses all of your data in one place, and it's important for admins to have the permissions they need to manage your data effectively. But with great power comes great responsibility, and to protect your data Salesforce requires all admins to use a phishing-resistant MFA method beginning July 1, 2026.
In this article, we'll go through:
- What MFA is and how it works
- What methods of MFA are phishing-resistant
- Who's considered an admin
- What you need to do by July 1
And at the end we'll look at some Frequently Asked Questions (FAQs).
What's MFA?
Multi-Factor Authentication adds another layer of security to your login process by requiring users to enter two or more pieces of evidence — or factors — to prove they’re who they say they are. One factor is something the user knows, such as their username and password. Other factors are verification methods that the user has in their possession, such as a physical security key that plugs into a computer or a fingerprint to verify the user's identity.
By tying user access to multiple different types of authentication factors, it’s much harder for a bad actor to access your PatronManager account. For example, even if a user’s password is stolen, the odds are very low that an attacker will also have their physical security key or their fingerprint for identification.
Beginning July 1, 2026, Salesforce is enforcing stricter security measures for admin users, because those users are able to make system-level edits and view sensitive data in your account.
This change means that MFA methods like the Salesforce Authenticator app or third-party apps like Google Authenticator are no longer sufficient for admins. Admin users must now use Salesforce-approved phishing-resistant MFA methods.
What MFA methods are phishing-resistant for admins?
Salesforce identifies three different MFA methods as phishing-resistant:
- Physical security keys (like Yubikey or Google Titan Key)
- Physical recognition or biometrics (like Apple Touch ID, Apple Face ID, or Windows Hello)
- Passkeys managed through a password manager or cloud keychain that is FIDO2/WebAuthn-compliant (e.g. 1Password, Bitwarden, iCloud Keychain, Google Password Manager).
We recommend that admins set up 2 different phishing-resistant MFA methods to ensure that they don't get locked out.
Who are our admin users?
For the purposes of phishing-resistant MFA, Salesforce considers a user with any of the following an admin:
- The System Administrator Profile
- A Profile or Permission Set that provides permission to:
- Modify All Data
- View All Data
- Customize Application
- Author Apex
None of PatronManager's standard Permission Sets grants the admin-level permissions outlined by Salesforce.
In other words, PatronManager Permission Sets alone do NOT classify someone as an admin for the purposes of phishing-resistant MFA.
For example, take Riley. Riley works at Super Awesome Arts and their User has the System Administrator Profile. Riley will be required to use phishing-resistant MFA, like a physical security key or biometric recognition.
Cam also works at Super Awesome Arts. Their User has the Box Office Manager Profile plus standard PatronManager permission sets, which does not give them any of the permissions Salesforce identifies as admin-level. Cam does not need to use phishing-resistant MFA and can use a standard MFA method, like an authenticator app.
Kit works at Super Awesome Arts too. Kit's User uses a custom Profile that includes the "View All Data" System Permission as part of the Profile. Kit will also be required to use phishing-resistant MFA like Riley.
Please note that Salesforce's definition of an admin may not match up with who you consider a PatronManager admin!
What do I need to do for admin users by July 1, 2026?
To avoid disruption, you need to ensure that your admins are set up with Salesforce-approved phishing-resistant MFA methods before Salesforce rolls out this security change. Don't worry, we'll walk you through the steps below.
If you do not complete these steps, admin users will be unable to log in without setting up an approved phishing-resistant MFA method when Salesforce enforces this requirement. That enforcement is slated to roll out beginning on July 1.
1. Figure out which users are admins
There are several different ways to do this, but the simplest way is to check the Profiles assigned to Users in your account.
Anyone with the System Administrator or System Admin Clone Profile is considered an admin.
If a User has a custom Profile and/or custom Permission Sets, check whether they have any of the following System Permissions:
- Modify All Data
- View All Data
- Customize Application
- Author Apex
Optionally, you can edit Users and change their Profile if they do not need these permissions or cannot use phishing-resistant MFA.
You must have at least one, and ideally two, System Administrators on your staff to manage user access and system requirements.
2. Enable phishing-resistant MFA methods
We recommend enabling all of the phishing-resistant MFA methods for your organization so that your admins have options available to them.
2.1. Go to Setup
2.2. Search for and select Identity Verification
2.3. Check the settings for phishing-resistant MFA methods
Make sure the following settings are checked:
- Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello
- Let users verify their identity with a physical security key (U2F or WebAuthn)
- Allow passwordless login with passkeys
2.4. Scroll down and Save
3. Have admin users set up their phishing-resistant MFA methods
How admins do this will depend on which MFA method(s) they choose to set up. We'll go through the three examples below.
Salesforce also has their own instructions available here.
| MFA Method | Best For | What You Need |
|---|---|---|
| Physical security key (like Yubikey or Google Titan Key) | One user who accesses PatronManager from multiple different computers and can keep a physical key with them, or multiple humans who share one PatronManager user login in the same location, who can also share one physical key. | The physical key itself (one per user) |
| Physical recognition or biometrics (like Apple Touch ID, Apple Face ID, or Windows Hello) | Easy access to PatronManager on a single device where the user has this authentication method set up. | Windows Hello (on PC) or Touch ID / Face ID (on Mac) must be fully set up and active on the user's device. |
| Passkeys managed through a password manager or cloud keychain that is FIDO2/WebAuthn-compliant | One user who accesses PatronManager from multiple different computers, or multiple humans who share one PatronManager user login, particularly if they log in from different locations. Easy to set up (especially if you use Chrome). | A compliant passkey manager such as 1Password, Bitwarden, iCloud Keychain, or Google Password Manager. |
You can set up more than one method per user. It's always good to have a "spare key" in case something goes wrong (a lost Yubikey, the computer with biometric ID crashes, etc.).
This requires having a physical recognition or biometric reader either built into your computer or connecting it to a reader (e.g. a fingerprint reader).
You can learn how to set up Windows Hello or Apple Touch ID directly from Windows and Apple.
3.1. Click your User's profile picture in PatronManager
3.2. Click Settings
3.3. Click Advanced User Details
3.4. Scroll down to "Built-in Authenticators" and click Add
3.5. You may be asked to verify your identity; make sure to do so and click Verify
3.6. Click Register
3.7. Select where your physical recognition or biometrics reader is and click Continue
In this case, it's on our Windows device, so we don't need to change it!
3.8. Your device will verify your physical recognition or biometrics
Basically, it'll ask for your fingerprint or ID your face!
3.9. Give your authentication method a name and Save
You'll know it succeeded when it's listed in the Built-In Authenticators!
This requires having a physical security key, like a Yubikey and Google Titan key.
Pro tip: if you plan to log in to more than one device, be sure to get a security key that is easy to remove and keep track of between workstations.
3.1. Click your User's profile picture in PatronManager
3.2. Click Settings
3.3. Click Advanced User Details
3.4. Scroll down to "Built-in Authenticators" and click Add
3.5. You may be asked to verify your identity; make sure to do so and click Verify
3.6. Click Register
While this mentions physical recognition or biometrics, you'll also be able to register a physical security key in the next step!
3.7. Click Change to change what kind of authenticator
3.8. Select Security key
3.9. Follow the prompts to insert the security key into the USB port of your device, enter a PIN to save, and touch the key if directed
3.10. Give your authentication method a name and Save
You'll know it succeeded when it's listed in the Built-In Authenticators!
This requires a password manager app that is FIDO2/WebAuthn-compliant, like 1Password and its browser extension.
3.1. Click your User's profile picture in PatronManager
3.2. Click Settings
3.3. Click Advanced User Details
3.4. Scroll down to "Built-in Authenticators" and click Add
3.5. You may be asked to verify your identity; make sure to do so and click Verify
3.6. Click Register
3.7. Your password manager's browser extension should open up, allowing you to Save passkey
3.8. Give your authentication method a name and Save
You'll know it succeeded when it's listed in the Built-In Authenticators!
Frequently Asked Questions (FAQs)
Salesforce is enforcing this change to better protect your user accounts that have the most access to your system. This will provide even better defense against identity-based threats.
Salesforce has more information on why they're making this change here.
While Salesforce requires all users to login using MFA, only admin users are required to use a phishing-resistant MFA method.
This is because your admin users have more permissions to make changes and view sensitive data in your account. If a bad actor were to gain access to one of these admin user accounts, they could do more damage to your organization than they could if they accessed a non-admin user account.
Salesforce has more information about this available here.
In our testing, we've found that the simplest phishing-resistant MFA to set up and use is a device's built-in authenticator, like Windows Hello or Apple Touch ID.
If you log into PatronManager on multiple different devices (i.e., a laptop and a desktop) and authenticate with physical recognition or biometrics, you may need to register multiple MFA methods (at least one per device).
If you need to access your PatronManager account from multiple different computers, you can either:
- Use a physical security key, such as Yubikey or Google Titan key
- Use a passkey stored in a FIDO2/WebAuthn-compliant password manager, such as 1Password
If an admin user doesn't set up a phishing-resistant MFA method by Salesforce's deadline, they'll be locked out.
Another System Administrator user will need to log in and generate a temporary verification code to allow the user to log in.
The admin user will need to set up a phishing-resistant MFA method after using the temporary code.
You can find information about setting up MFA for standard users here.
If you have enabled SAML (Single Sign-On (SSO)) or are considering doing so, Salesforce has additional requirements for the SAML integration to satisfy the phishing-resistant requirement. Refer to Salesforce's documentation for details. If your SSO integration does not meet the Salesforce requirements, admin users will also need to use a compliant phishing-resistant MFA method.