dott

Salesforce Phishing-Resistant MFA (PR-MFA) – Part 2

Table of Contents

Passkeys, Salesforce Configuration & Implementation


What Is a Passkey?

A Passkey is a modern authentication credential based on FIDO2 and WebAuthn standards. Instead of asking users to remember passwords or enter one-time verification codes, passkeys use cryptographic key pairs stored securely on a trusted device.

When a user signs in:

  • The private key never leaves the device.
  • Salesforce verifies the authentication using the corresponding public key.
  • No reusable password or OTP is transmitted.

This makes passkeys significantly more resistant to phishing attacks than traditional MFA methods.



How Does a Passkey Work?

Traditional authentication: Username > Password > OTP > Login

Passkey authentication: Username > Windows Hello / Face ID / Touch ID / Security Key > Cryptographic Verification > Login

Notice what’s missing:

❌ Password typing

❌ OTP

❌ SMS

❌ Approval notification

Instead, the user’s device securely proves their identity.


Why Passkeys Are More Secure

Traditional MFA still depends on users making the correct decision.

For example:

“Is this login page genuine?”

“Should I approve this notification?”

Attackers exploit these decisions through phishing websites and social engineering.

Passkeys eliminate much of this risk because authentication is cryptographically tied to the legitimate Salesforce login page.

If the website isn’t Salesforce, the passkey simply won’t authenticate.


Where Can Passkeys Be Stored?

Passkeys are not limited to a single device.

Depending on your operating system and organizational policies, they can be stored in:

  • Windows Hello
  • Apple iCloud Keychain
  • Google Password Manager
  • Android Credential Manager
  • FIDO2 Security Keys
  • Enterprise Password Managers supporting Passkeys

Examples include:

  • 1Password
  • Bitwarden
  • Keeper
  • Dashlane

These platforms can synchronize passkeys across trusted devices, making device replacement much easier.


Passkeys vs Security Keys

Many administrators confuse these terms.

Passkeys Security Keys
Software-based Hardware-based
Stored securely on device Stored on USB/NFC key
Uses Face ID / Touch ID / Windows Hello Requires physical security key
Convenient Highest physical assurance
Best for most organizations Best for highly regulated environments

Which Passkey Should You Choose?

Salesforce doesn’t require one specific technology.

Choose what best aligns with your organization’s devices.

Device Recommended Method
Windows Laptop Windows Hello
MacBook Touch ID
iPhone Face ID
Android Device Passkey
Shared Recovery FIDO2 Security Key

How to Register a Passkey in Salesforce

The exact navigation may vary slightly depending on your Salesforce edition and release.

Step 1

Login to Salesforce.

Step 2

Open Settings Personal Settings

Step 3

Navigate to Advanced User Details or Authentication Settings

depending on your Salesforce interface.

Step 4

Choose Register Passkey

Step 5

Salesforce asks how you’d like to authenticate.

Examples:

  • Windows Hello
  • Face ID
  • Touch ID
  • Security Key
  • Password Manager Passkey

Step 6

Complete authentication.

Windows Hello may ask for:

  • Fingerprint
  • Face Recognition
  • PIN

Face ID asks for facial verification.

Touch ID requests your fingerprint.

Security Keys require touching the physical key.

Step 7

Salesforce confirms registration.


Register Multiple Passkeys

Salesforce supports registering multiple phishing-resistant authentication methods.

This is useful when one administrator uses:

  • Office Desktop
  • Laptop
  • Mobile Phone
  • Backup Security Key

We recommend registering at least:

✔ Primary Device

✔ Backup Device

or

✔ Backup Security Key

to reduce operational disruption.


Replacing a Laptop

This is one of the most common questions.

Example:

Old Laptop

Windows Hello Passkey

Laptop replaced

What now?

Recommended approach:

  1. Login using another registered authentication method.
  2. Register a passkey on the new laptop.
  3. Remove the old passkey.

Replacing a Mobile Phone

Similar process.

Example

Old iPhone

Face ID Passkey

New iPhone

If using iCloud Keychain, your passkeys may synchronize automatically after device setup.

Otherwise:

Register a new passkey.

Remove the old one.


Lost Device

If a device is lost:

Immediately

✔ Remove its registered passkey

✔ Register another trusted device

✔ Update recovery documentation

If available, use:

  • Backup Passkey

or

  • FIDO2 Security Key

to regain access.


Remove a Passkey

Navigate to:

Authentication Settings

Registered Passkeys

Remove


Can I Disable Passkeys?

Yes.

If organizational policies change, administrators can remove registered passkeys and register different phishing-resistant authentication methods.

However, privileged users must continue using at least one Salesforce-supported phishing-resistant authentication method to satisfy PR-MFA requirements.


Salesforce Recommendations

Salesforce recommends organizations begin preparation before production enforcement.

Suggested implementation sequence:

1. Identify privileged users.

Review:

  • Profiles
  • Permission Sets
  • Permission Set Groups

2. Register Passkeys

Prefer:

  • Windows Hello
  • Face ID
  • Touch ID
  • FIDO2 Security Keys

3. Test in Sandbox

Validate:

  • Administrator login
  • SSO
  • VS Code
  • Salesforce CLI
  • Deployment tools
  • Connected Apps

4. Train Users

Explain:

  • Why PR-MFA is changing.
  • How Passkeys work.
  • Recovery procedures.

5. Roll Out Before Production

Avoid waiting until enforcement begins.

Early testing minimizes user disruption.


What Changes?

✅ Privileged users require phishing-resistant authentication.

✅ Passkeys become the preferred authentication mechanism.

✅ Administrators should review authentication methods before July 2026.


What Doesn’t Change?

Many administrators worry far more is changing than actually is.

The following generally remain unchanged:

✅ Regular users can continue using supported MFA methods.

✅ OAuth integrations.

✅ JWT integrations.

✅ Client Credentials.

✅ Named Credentials.

✅ Server-to-server integrations.

Provided they don’t rely on interactive privileged logins.


SSO Considerations

Organizations using:

  • Microsoft Entra ID
  • Okta
  • Ping Identity
  • Other Identity Providers

should verify how their SSO implementation satisfies Salesforce’s PR-MFA requirements.

Review:

  • Authentication policies
  • Passkey support
  • FIDO2/WebAuthn support
  • Identity Provider configuration

Testing in a Sandbox environment before production rollout is strongly recommended.


Integration Considerations

Review authentication for:

  • Azure Data Factory
  • MuleSoft
  • Boomi
  • Informatica
  • Copado
  • Salesforce CLI
  • VS Code
  • Jenkins
  • GitHub Actions
  • Connected Apps

Interactive logins used by administrators may require updates, while non-interactive authentication methods such as OAuth Client Credentials or JWT are generally unaffected.

Book a Consultation

Let’s discuss how we can make your project a success.

    By submitting this form, you acknowledge and accept Perigeon’s privacy policy.

    Let’s Create Impact Through Innovation.

    Partner with Perigeon Software to turn bold ideas into scalable digital solutions.