Skip navigation
Industry News

Phishing-resistant MFA for Salesforce

Set the stage

For years, multi-factor authentication has been the baseline for protecting accounts, but not all MFA is created equal. Attackers have grown adept at phishing their way past weaker methods like SMS, phone calls or one-time passcodes, tricking users into handing over the very factors meant to keep them safe. In response, Duo continues to invest in phishing resistant authentication like passkeys and Duo Mobile Proximity Verification to make sure our customers are able to widely adopt these methods and better protect your organizations.

Phishing-resistant authentication is moving from a best practice to a hard requirement for many, starting with the accounts that matter most: your administrators and privileged users.

What's going on

Salesforce is now one of those platforms. Beginning July 20, 2026 Salesforce requires phishing-resistant MFA for all privileged users in production, including anyone with the System Administrator profile or permissions like Modify All Data, View All Data, Customize Application, or Author Apex. This applies whether those users log in directly to Salesforce or through a single sign-on (SSO) provider.

Note: Duo’s Microsoft integration using Azure Conditional Access Custom Control does not provide Authentication Method Reference (AMR) signals required during authentication by design. Please make sure to migrate your privileged users to the new Duo Entra ID External MFA integration or Duo SSO for Salesforce as soon as possible to avoid user lockout.

In practice, this means the methods many admins rely on may no longer get them in the door. Legacy factors like SMS passcodes, phone callbacks, and one-time passcodes don't meet the bar for phishing resistance, and users relying on them will be prompted to enroll a stronger method. For organizations logging in through an identity provider, Salesforce doesn't dictate the specific tool. Instead, it looks for a signal from the IdP confirming that a phishing-resistant authentication took place. The takeaway for admins is simple: the era of "any MFA will do" is over, and it's time to make sure your privileged users are authenticating with phishing-resistant methods.

What this means (how Duo can help)

The good news: meeting Salesforce's bar doesn't require ripping out everything. Duo offers two phishing-resistant options that you can roll out side by side, depending on what fits your users.

Passkeys (platform and roaming authenticator) are the industry standard for phishing-resistant authentication, built on the open FIDO2/WebAuthn specification. What makes them phishing-resistant is simple: a passkey registered for Salesforce only works for Salesforce. If a user lands on a malicious login page, the passkey just won’t work there.

Duo Mobile Proximity Verification is our proprietary solution on phishing-resistant authentication, designed for organizations that heavily depend on Duo Mobile, and love the user experience! With Duo Desktop doing origin binding and Bluetooth handshake between the Duo Desktop and Duo Mobile confirming the user has access to both devices, Duo Mobile Proximity Verification protects users from common phishing attacks such as social engineering and attacker-in-the-middle style attacks.

Both methods are governed through Duo's authentication methods policy, so enabling phishing-resistant auth for your Salesforce admins is a group policy change, not a project. Scope it to your privileged-access group, set the allowed factors, and the policy does the rest. Users keep the Duo experience they already trust; you get a clean signal back to Salesforce that a phishing-resistant authentication took place without disrupting your admins' workflow.

Conclusion

The July 20, 2026 deadline is a forcing function, but it doesn't have to be a fire drill. Salesforce is asking for a stronger signal at the front door for your most sensitive users, and Duo is built to deliver exactly that signal, without massive undertaking.

Whether your organization standardizes on passkeys, leans on Duo Mobile Proximity Verification, or deploys both across different user populations, Duo gives you the policy controls to roll out phishing-resistant MFA at the pace your business can absorb. Group-based policies mean you can start with your System Administrators and expand coverage to other privileged roles over time - all from the same Duo Admin Panel your team already operates in.

This is the partnership we want to be for our customers: helping you stay ahead of mandates like Salesforce's while protecting the user experience that keeps adoption high and helpdesk tickets low. Phishing resistance shouldn't come at the cost of usability, and with Duo, it doesn't have to.

Experience Duo's seamless authentication with a quick interactive Proximity Verification product tour, or get started adding phishing resistance with a 30-day free trial.