URGENT: Salesforce's MFA from 16 June 2026 Deadline. REQUIRES IMMEDIATE ACTION!
This is the bit nobody tells you about MFA. It's not a tickbox. The way you do it matters. And from 16 June 2026, Salesforce has decided to stop pretending otherwise. A practitioner's walkthrough of the two enforcement changes, what will break, and the six-step playbook that keeps your APAC org out of June 2026 incident reports.
URGENT: Salesforce's MFA from 16 June 2026 Deadline. REQUIRES IMMEDIATE ACTION!
This is the bit nobody tells you about MFA. It's not a tickbox. The way you do it matters. And from 16 June 2026, Salesforce has decided to stop pretending otherwise.
TLDR
Salesforce is enforcing two big changes in June 2026.
Every internal user needs MFA in production and sandbox — no exceptions, and if you're on SSO it's on your IdP to actually enforce it.
Anyone with System Administrator rights (or Modify All Data, View All Data, Customize Application, or Author Apex permissions) must use phishing-resistant MFA, meaning FIDO2 hardware keys or built-in biometrics like Touch ID. Push notifications, Google Authenticator, SMS codes won't work anymore.
Three things will break the moment you turn this on: username/password API integrations (move to OAuth), contractor and partner access, and field workers without smartphones (budget for hardware keys, around $30 to 60 USD a pop, two per admin). Run the MFA Requirement Checker now, audit your admin permissions, verify your SSO actually enforces MFA, fix your integrations, and over-communicate the cutover.
Here are the official Salesforce links:
Start now if you haven't already!
What's actually happening in June 2026
Salesforce is rolling out two enforcement changes that land in the same window. They sound similar. They aren't. (Salesforce Ben, Salesforce Help)
The first one is the easy headline. Every internal user with a Salesforce or Salesforce Platform licence must authenticate with MFA, in production and in sandbox, by 22 June (Sandboxes) and 1 July (Production). If you're using SSO, that MFA needs to be enforced at your identity provider. Salesforce will not check this for you. They will assume you've done it.
The second one is the bit that's going to ruin people's weekends. From the same enforcement window, anyone with a System Administrator profile (or equivalent permissions like Modify All Data, View All Data, Customize Application, or Author Apex) must use phishing-resistant MFA specifically. Not push notifications. Not Google Authenticator. Not the SMS code your auditor has been letting you slide on for three years. (NinjaOne, Vantage Point)
Phishing-resistant means cryptographic. FIDO2 / WebAuthn. Hardware keys like YubiKey or Google Titan. Built-in biometric authenticators like Touch ID, Face ID, Windows Hello. Anything else doesn't qualify, regardless of how shiny the marketing page is.
Email OTPs, SMS codes, and phone call codes have never satisfied the original 2022 MFA requirement either, by the way. Salesforce just got tired of customers pretending otherwise.
Why the goalposts moved
The 2022 MFA requirement was written in a world where phishing meant a dodgy email asking you to confirm your bank password. The 2026 requirement is written for a world where Scattered Spider and ShinyHunters spent the back half of 2025 voice-phishing helpdesk agents into approving malicious Connected Apps, then quietly exfiltrating CRM data via OAuth tokens. The token bypassed MFA entirely because OAuth, by design, doesn't re-prompt for it. (Cybersecurity Dive, Obsidian Security)
The list of confirmed victims from those campaigns reads like an APAC trade fair. Allianz Life, luxury retail brands, aviation, tech firms, insurance. Around 39 organisations ended up on a public extortion site by October 2025. (Help Net Security)
Push-based MFA didn't help any of them, because the attacks didn't try to defeat MFA. They tricked humans into opening the front door wearing the right uniform.
Phishing-resistant methods work because they cryptographically bind the authentication to the actual website you're talking to. Even if a helpdesk agent wants to approve the dodgy request, the YubiKey or biometric won't let them, because the domain doesn't match. That's the bit Salesforce is now mandating for admins. Not because they're being precious. Because they watched the receipts come in.
What's going to break (the bit your CFO will care about)
Three things break the moment you enforce MFA properly across an org of any meaningful size, and you should know them before someone on the leadership team asks.
Username and password API authentication. Every script, every middleware tool, every legacy integration that logs in as a service account with a username and password will stop working. Workato, MuleSoft, Boomi, Informatica, Talend, custom Python scripts, that one batch job nobody has touched since 2019. All of them. The fix is OAuth or named credentials. The audit is now.
Contractors and partner users. If you've been quietly granting Salesforce access to consultants and partner staff under loose policies, the MFA mandate makes those users your problem. Either they enrol with their own authenticators, or you provision SSO for them, or you decide they shouldn't have had access to begin with. There is no fourth door.
Field workers without smartphones. This one's an APAC special. If you've got merchandisers, surveyors, agronomists, or service technicians in regional Australia, the Pacific, or parts of Southeast Asia who don't carry a company smartphone, you can't deploy an authenticator app to them. They need a hardware key, or a different licensing approach, or both. Budget for it now or you'll be expediting YubiKey shipments to Suva in May.
A six-step playbook that won't make you cry
This is roughly how I'd run it for an APAC enterprise with multiple orgs and a mixed user base. Adjust the timelines for your scale, but don't compress them. Compressed MFA rollouts end up on incident reports.
Run the MFA Requirement Checker this week. Salesforce ships a free tool inside Setup → Identity Verification History and the Multi-Factor Authentication Assistant. It tells you who's enrolled, who isn't, and what method they're using. Run it across every org you own. Sandboxes count. Pre-prod counts. That dusty partner org you forgot about counts.
Inventory your admins. Setup, Profiles, System Administrator. Then check every permission set granting Modify All Data or Manage Users. Then check every user with a delegated admin assignment. The list is always longer than people expect. Every single one of those humans needs phishing-resistant MFA, and ideally two methods registered for backup. (HYPR)
Segment your user populations. You'll have four groups, roughly. Office staff with smartphones (easy, deploy authenticator apps). Field staff without smartphones (hard, deploy hardware keys). Admins (medium, deploy phishing-resistant methods with backups). SSO users (easy in theory, deeply embarrassing if you discover your IdP wasn't enforcing MFA properly). Plan each segment differently. One blanket comms email won't cut it.
Verify your SSO actually enforces MFA. If you're using Okta, Entra ID (Azure AD), Ping, or ADFS, do not assume your conditional access policies cover Salesforce. I have seen organisations discover, two weeks before an audit, that the policy excluded a legacy app group that happened to include the Salesforce SAML connection. Test it. In sandbox. With a real user account.
Audit your integrations and upgrade them. Every API integration using basic auth needs to move to OAuth 2.0 client credentials flow, JWT bearer flow, or named credentials. Prioritise the ones that will silently fail at midnight on the cutover and not be discovered until somebody's revenue report doesn't run. ETL jobs, payment integrations, data sync to your warehouse. Those first.
Communicate now, then communicate again, then communicate one more time. Twelve weeks of comms is not too much. Six weeks is the bare minimum. Your users will not read the first three emails. They will read the fourth one, the day before enforcement, and they will be angry. Plan for it. Have your support team staffed up for the rollout window, and stagger the cutover by region and timezone. A Monday enforcement in Sydney is a Sunday disaster in the US.
The hidden costs nobody puts in the budget
Hardware keys aren't free. Quote the actual numbers when you ask for the budget. As of May 2026, current Yubico pricing is roughly: Security Key Series ~$29 USD, YubiKey 5 Series ~$55–58 USD, FIPS Series ~$88, Bio Series ~$98. For enterprise admin use you'll typically want at least the 5 Series, so a more honest range is $30 to 60 USD per key for standard use, more for FIPS/Bio variants, and you need two per admin for redundancy. (Salesforce Ben). For a 50-admin org that's somewhere between 2,500 and 5,000 USD, plus shipping to wherever your admins actually live. If you've got admins in Bangalore, Sydney, Singapore, Manila, and Auckland, that's five courier runs.
Lost-key replacement is its own line item. Build a runbook for what happens when an admin loses their YubiKey at 9pm on a Friday and there's a P1 in the morning. The answer is "their backup key, which they registered six months ago and stored at home". If that answer doesn't currently exist, write it down before June.
Training time matters more than the hardware. The first time most admins use a security key, they put it in the wrong USB port, hold it the wrong way up, and assume it's broken. Schedule the hands-on session. Don't email a PDF.
Bottom line for APAC enterprise leaders
The 13 June 2026 deadline isn't really about MFA. MFA is the artefact. The deadline is about Salesforce drawing a line under a decade of credential-based security being demonstrably insufficient against industrialised social engineering. Scattered Spider proved the point in 2025. Salesforce is now codifying the lesson into policy.
If you operate in regulated APAC markets, this is also about your own audit posture. ISO 27001, SOC 2, the Australian Essential Eight, Singapore's MAS TRM guidelines, and the various data residency frameworks across the region all increasingly assume MFA as a baseline. A Salesforce org without phishing-resistant admin MFA is going to look strange to your next auditor regardless of what Salesforce mandates.
The orgs that start now will spend the next twelve months on an unhurried, well-communicated rollout. The orgs that started in March 2026 will spend May expediting hardware keys and apologising to users. The orgs that start in June 2026 will spend June updating their resumes.
Pick which one you'd like to be.
What's the most painful MFA rollout story you've lived through, and what would you do differently if you had to run it again?
Robin Leonard is a Partner at Xenai Digital, an APAC enterprise Salesforce consultancy. 9x Salesforce certified, with form leading enterprise transformations across Australia, New Zealand, Singapore, Japan, and the broader Pacific. Splits his time between Auckland, Sydney and Tokyo, rides a Royal Enfield Himalayan 450 when the weather agrees with him, and drinks too much coffee in cafes while watching deadlines like this one approach. linkedin.com/in/robinleonard1
References
---
Originally published on LinkedIn on 12 May 2026.