How Salesforce Will Secure Your Org Against Hackers

Security and convenience are almost always inversely correlated. Making something more secure inherently makes it harder to access, which creates real friction for everyday users. This tension is nothing new. Hackers have always sought unauthorized access to systems, but historically, the barriers were high: computers were expensive and internet access was scarce. This is no longer true.

This battle front has always favored attackers. Security teams must successfully defend against every single intrusion attempt, while hackers only need to succeed once. A single breach can cause significant damage.

What’s changed is the scale and speed of attacks. AI has dramatically lowered the barrier to entry, enabling hackers to probe far more systems, far more frequently than ever before.

Recently, several Salesforce customers experienced significant system breaches involving their Salesforce instances, most notably those tied to the ShinyHunters cybercriminal group. What made these incidents particularly damaging was that the compromised accounts belonged to users with elevated access, including admins and developers. Salesforce denied responsibility and took limited action, largely confining its response to informing and educating the ecosystem about the risks of phishing and vishing attacks.

It seems like that is about to change. Big time.

Salesforce decided to enforce multiple security controls starting June-August 2026 to prevent credential theft, data exfiltration, and account takeovers. IP range restrictions originally planned are no longer being mandated, but MFA for all employee users, phishing-resistant MFA for admins, auto-containment for high-risk connections, and step-up authentication for reports will be enforced.

This means your life is about to get more difficult, especially if you have elevated access typically used by admins, developers and architects.

The New Security Direction by Salesforce

• MFA exemption permission restricted: The “Waive Multifactor Authentication for Exempt Users” permission will be removed except for justified cases (automation/testing users) requiring support approval. 
• New permission set required: “Modify Transaction Security Policy” permission set introduced. Users need both the new “Modify Transaction Security Policy” permission AND the existing “Customize Application” permission to manage TSPs. Users with only the Customize Application permission will be downgraded to read-only access for TSPs.
• IP range restriction enforcement removed: The requirement to use IP ranges on profiles and the “enforce login ranges on every request” setting will not be mandated, though strongly recommended for customers who can implement them.
• Staggered rollout approach: Enforcement timelines extended and staggered by instance to minimize customer disruption.

Security Controls Being Enforced

Auto-Containment Measures

High-risk IP blocking was expanded April 24th to include all connected app and API traffic from anonymizing VPNs, proxies, and high-risk IP addresses; users are contained automatically with admin notifications. Extended login anomaly containment applies to all internal user login behavior (excluding external/community users) and focuses on detecting suspicious login patterns. There is no allow-list override, meaning even allow-listed IP addresses will be contained if classified as high-risk at connection time. There are also AWS integration issues under active investigation, with some AWS IP addresses being incorrectly flagged and the issue currently being resolved.

MFA Requirements

All Employee Users: 

MFA is required for all employee license users, excluding Experience Cloud and external users. Enforcement is handled via locked settings, so admins cannot disable it. API-only logins are exempt, as the requirement applies exclusively to UI logins. For SSO, providers must pass AMR/ACR signals indicating strong or phishing-resistant MFA.

Timeline: Sandboxes June 22-29; Production July 20-August 17 

Admins and Privileged Users: 

Phishing-resistant MFA is required for users with elevated privileges, specifically those on the default Sys Admin profile or holding Modify All Data, View All Data, Customize Application, or Author Apex permissions. This standard is stricter than standard MFA, and mobile authenticator apps do not meet the threshold. Only security keys and built-in authenticators or passkeys qualify.

Timeline: Sandboxes June 22-29; Production July 1-27 

Email Domain Verification

DKIM or authorized email domain verification is required for all email sending domains (this was previously announced). Enforcement is being rolled out on a staggered timeline; check the timeline knowledge article for the latest dates. A tool is also available to verify compliance status.

Step-Up Authentication for Reports

Time-Based Session Policy:

• Additional authentication required when users spend considerable time on reports.
• Admins can configure the “Require step-up authentication within cool-down period” session-level policy to an exact cadence between 2 and 120 minutes (with 120 minutes being the default); logging in with MFA does not reset timer.
• Verification methods: Users can use any supported MFA method, including Passkeys, Security Keys, Salesforce Authenticator, and third-party TOTP apps. The email and SMS One-Time Password (OTP) options are specifically fallback challenges for Single Sign-On (SSO) users who do not have a Salesforce MFA method registered.
• Report access blocked if authentication fails (UI only, not API).
• Timeline: Available May 27 (sandbox/production); Enforced June 3 (sandbox), June 10-July 4 (production). 

Anomalous Behavior Detection: 

• ML-based detection triggers authentication when unusual report viewing/downloading behavior detected.
• Users must configure at least one verification method (authenticator app, phone, email) or report access blocked. 
• Timeline: Enforced June 22 (sandbox), July 13 (production). 

Transaction Security Policy Enhancements (Shield/Event Monitoring customers only): 

• Step-up authentication required when downloading >10,000 records from reports.
• Required for any create/update/delete/enable/disable operations on transaction security policies.
• Timeline: Available June 1 (sandbox), June 15 (production); Enforced June 22 (sandbox), July 13 (production). 

Additional Considerations

Mobile SDK Lockout Risk for Admins: Warning for admins using the Salesforce Mobile App or custom Mobile SDK apps. Mobile SDK version 13.2.0 and earlier does not support phishing-resistant MFA. Admins using these older versions will be blocked from logging in unless their org pre-configures advanced authentication in My Domain, or until they utilize the new “Login for Admins” browser-based flow arriving in Mobile SDK 13.2.1

Impact on “Waive MFA” Permission: Please note the exact behavior of the “Waive Multi-Factor Authentication for Exempt Users” permission. After enforcement, this permission will no longer automatically waive the MFA requirement; users with this permission will actually be prompted to enroll in MFA in the UI. To restore this exemption for valid testing/automation tools, admins must proactively contact Salesforce Support for approval.

Passwordless Login Recommendation: Please note the best-practice recommendation of enabling “Allow passwordless login with passkeys”. This allows users (especially privileged admins) to meet the strict phishing-resistant MFA requirement by simply logging in with their username and a biometric passkey or security key, bypassing the need for a password and streamlining their experience.

Trial Org Grace Period: Note that Trial Orgs converted to a paid subscription will no longer receive a 30-day grace period to comply with the MFA requirement.

MFA Edge Cases and Exceptions

Experience Cloud and Community users are completely exempt from this specific MFA login mandate. API-only users with the API-only permission assigned are exempt from MFA, as the requirement applies exclusively to UI logins. For Windows SSO, check the AMR field in login history for OIDC, or use the SAML Validator tool for SAML; ignore the strong/weak classification and only verify that the signal is present. Free scratch orgs are not in scope, as MFA enforcement applies only to paid sandbox orgs. When it comes to device activation, MFA takes precedence, and completing MFA exempts users from device activation prompts. Finally, custom IDPs must follow SAML/OIDC industry standards for passing AMR/ACR signals; contact your account team or support for provider-specific nuances.

Customer Communication Plan

Knowledge articles were published, you will find the links in this post. System administrators and security contacts received email notifications on the 6th of May, 2026. Product managers will be hosting webinars on Wednesday, May 13th, with both early and late US time slots available. For the early webinar time, click here. For the later time, click here.

Action Items

• Partners: Review client orgs for current VPN usage and MFA exemption permission assignments; prepare clients for June-August enforcement timelines. 
• Admins: Test MFA configurations in sandboxes starting June 22; ensure users have at least one verification method configured (email/SMS/authenticator). 
• SSO administrators: Verify AMR/ACR signals are being passed correctly using login history (OIDC) or SAML Validator tool (SAML). 
• Shield customers: Review transaction security policies and prepare for step-up authentication on report downloads >10,000 records and policy modifications. 
• All customers: Set up DKIM keys or authorized email domains; use in-app verification tool to check compliance. 

Don’t Wait for Enforcement to Find Your Gaps

Salesforce’s upcoming security enforcement represents a meaningful shift in how the platform approaches user protection. For years, the responsibility fell almost entirely on customers to configure and maintain their own security posture. That’s changing. Whether you’re an admin, developer, architect, or partner, the June through August enforcement windows are closer than they appear. Audit your orgs, test your configurations in sandbox, and make sure your users are set up with the right verification methods before enforcement kicks in. The friction is real, but so is the risk it’s designed to address. See the official Salesforce documentation here.

Explore related content:

Setup with Agentforce: What Salesforce Admins Need to Know

The Salesforce DKIM Sandbox Problem, and How to Fix It

Clean Data, Smart Flows: Automating Data Cleanup in Salesforce Nonprofit Cloud

FYI: If your #Mastodon #domainverification doesn't work, check if you do have upper case letters in your URL as this won't work as of this #bug report from 2022: https://github.com/mastodon/mastodon/issues/20944

#domain #verification

Guys. 😄 After I tried switching from Brave/Firefox browsers to Chrome (Google's browser), Google (Safe Browsing) labeled my sites as unsafe with a big red page. 😄 They said that to remove the warning, I need to add their TXT records to the DNS records of my domain names I rent, such as `kalvin.my` and `lamin.my`. 😄 The purpose of this is to verify my domain ownership. 😄☀️ I think I will do this only if I find that the domain name reflects or has the same vibe as myself.

#WebBrowsers #GoogleSafeBrowsing #DomainVerification #DigitalIdentity #TechChallenges #OnlineSecurity #InternetPrivacy #WebTech #DomainOwnership #CyberSecurity #TechHumor #BrowserWars #GoogleChrome #InternetExperience #DigitalLife

if someone can help me verifying my domain with a TXT record for google and stuff - reveal yourself. Ideally femmes. Will gladly pay oc. But I have to learn myself, so videocall would be best. thank you!

#helprequest #domainverification #boost4reach

My apathetic arrival on Bluesky last spring did not suggest I had much interest or confidence in that decentralized social network: I opened my account on April 25, posted for the first time on April 27, and then waited more than two months to grace Bluesky with a second post.

And yet over the past two months, Bluesky has become my primary successor to Twitter as the platform that now goes by X continues its spiral into conspiracy-theory hell under Elon Musk’s militantly ignorant misrule. Bluesky now ranks as one of the first apps I check in the morning and among those I revisit most often during the day–even though my follower total of 608 is far smaller than the 1,404 following me on Mastodon or the 18,713 followers of my idle Twitter account.

The top reason is the quality of the conversations on Bluesky. I see more engagement with my posts here–see, for instance, the comparison I did in December when I shared the same PCMag story about Comcast rate hikes on Bluesky, Twitter, Mastodon and Meta’s Threads–and that feedback is more likely to leave me more enlightened or at least amused. I keep thinking this won’t last, especially after the platform dropped its invite system in February, but so far Bluesky’s banter remains mostly pleasant.

It also helps that so many of the voices I valued on Twitter have made their way over to Bluesky–and that I’ve had the pleasure of discovering new voices there. And since I’m not getting paid for any of this or deriving other obvious and direct professional benefit (as in, I know how few people clicked through to stories I shared on Twitter), those things matter to me.

Second, Bluesky has advanced faster than I might have expected. A small team of developers led by CEO Jay Graber has built out its foundational feature of account portability with impressive speed. That means not just the option to take my followers to a new account with a different handle, what I call settings portability as offered at Mastodon, but the ability to move my entire presence, including the handle that I’ve set to my robpegoraro.com domain name, to a different host.

That progress in building a legitimate breakthrough in social networking gives me confidence that Bluesky’s developers will check off such lesser to-do details as these items on a product-roadmap update posted May 7: direct messaging, inline video, in-app tools to create and manage custom feeds (for example, my D.C.-area airports feed), and login-security upgrades enabling a choice of multi-factor authentication options.

An edit button, however, is not among those roadmap items, and in that aspect Mastodon maintains a distinct advantage over Bluesky. But while I continue to have good conversations there, too many of the people I liked seeing on Twitter either haven’t set up shop on Mastodon or tried it and have since moved on.

A large fraction of the Twitter diaspora, meanwhile, has looked past both Mastodon and Bluesky to migrate to Threads instead. But while the default “For You” algorithmic feed isn’t as hopelessly vapid in my Threads account as it was six months ago, I still find the notion of handing over that much more of my online social presence to Meta to be profoundly distasteful. I do not need a single point of social-media failure that large, especially not one with Meta’s history of bad-faith behavior towards journalism.

Also distasteful: how I still have to read Twitter because of all the people who have not bailed on that platform and continue to share enlightening tidbits there. I mainly do that through lists I created that help me avoid the clout-chasing randos, conspiracy-lie merchants and fascism-curious creeps now polluting that platform, but because I cover social media I also have to keep up with Musk’s reputational self-immolation through his increasingly delusional tweets.

I don’t know that Bluesky will ever replace what Twitter was, or if anything can or even should. But while much about this project remains uncertain–most of all, if this public-benefit corporation can secure a reliable business model–at least I know my free writing online isn’t underwriting a shitposting billionaire’s vanity value-destruction project.

https://robpegoraro.com/2024/05/10/one-year-in-some-of-the-clouds-around-my-bluesky-experience-have-cleared/

#Bluesky #BlueskyFeeds #bsky #DMs #domainVerification #editButton #ElonMusk #ElonMuskTwitter #JackDorsey #JayGraber #journaHost #Mastodon #meta #Threads #Twitter #X

🔵 The Developer's Guide to Domain Verification
at @WorkOS
#DomainVerification #webdev

https://workos.com/blog/the-developers-guide-to-domain-verification