Do password managers count for Salesforce MFA in 2026?

Yes, provided the password manager is FIDO2/WebAuthn-compliant and is used to store and generate an actual passkey rather than just storing a password and a TOTP code.

What password managers are confirmed to be compliant with Salesforce phishing-resistant MFA?

As of June 2026, Salesforce explicitly mentions 1Password, Bitwarden, and iCloud Keychain as compliant, as long as they are used to manage FIDO2 passkeys.

Who is required to use phishing-resistant MFA in Salesforce?

All users with the System Administrator profile or permissions like 'Modify All Data', 'View All Data', 'Customize Application', or 'Author Apex'.

When does the Salesforce phishing-resistant MFA enforcement start?

Enforcement begins for Sandbox environments on June 22, 2026, and for Production environments on July 1, 2026.

Does Salesforce Authenticator count as phishing-resistant MFA?

No. Standard push notifications from the Salesforce Authenticator app are not considered phishing-resistant and do not meet the 2026 requirement for privileged users.

7 Crucial Facts About Password Managers & Salesforce MFA: What Actually Counts? (Updated June 2026)

If you’ve been hanging around the Salesforce ecosystem lately, you’ve probably heard the collective intake of breath regarding the 2026 security enforcement. Specifically, the mandate that “privileged users” must use phishing-resistant Multi-Factor Authentication (MFA). For a while, there was some serious confusion: Do password managers count? Are we all going to be tethered to physical YubiKeys like it’s 2010?

Table of Contents

The good news is that Salesforce recently updated its guidance as of June 2026. The short answer is: Yes, password managers can count: but there is a massive, bolded, underlined “if” attached to that statement.

At CLOUDSTREET, we’re based in the heart of Houston, Texas, but we help our customers locally and globally navigate these exact types of security hurdles. Whether you’re trying to secure your Agentforce Sales (formerly Sales Cloud) environment or looking to optimize a high-traffic Agentforce Commerce (previously Commerce Cloud) portal, staying ahead of these requirements isn’t just about compliance; it’s about not getting locked out of your own house.

Here are the 7 things you absolutely need to know about the new Salesforce MFA requirements and how your password manager fits in.

1. The Big June 2026 Update: Cloud-Synced Passkeys are “In”

For a long time, the word on the street was that cloud-synced password managers wouldn’t cut it for the “phishing-resistant” requirement. Salesforce has officially clarified that cloud-synced passkeys stored in FIDO2/WebAuthn-compliant password managers do meet the requirement.

This includes popular tools like:

1Password
Bitwarden
iCloud Keychain

If your password manager supports storing actual FIDO2 passkeys, you’re in the clear. This is a huge relief for teams that manage multiple orgs and don’t want to carry a ring of physical security keys like a Victorian jailer.

2. The Critical Nuance: Credentials vs. Passkeys

This is where many admins are going to get tripped up. There is a massive difference between using a password manager to store your password and using it as a passkey authenticator.

What DOES NOT count: Using 1Password to autofill your username and password, then opening a separate app (like Google Authenticator or Authy) to type in a 6-digit TOTP code. Even though you’re using a password manager, this method is not phishing-resistant.
What DOES count: Using your password manager to generate and store a FIDO2/WebAuthn passkey. When you log in, the password manager communicates directly with Salesforce to verify the domain and authenticate you without a manual code.

Basically, if you’re still typing in a six-digit code, you aren’t phishing-resistant in the eyes of Salesforce.

Graphic showing the difference between a 6-digit TOTP code and a biometric passkey

3. Who Exactly is Under the Microscope?

Not every single user in your org needs to jump to phishing-resistant MFA immediately, but your most powerful users do. This requirement applies to any user with the following:

System Administrator Profile
Modify All Data permission
View All Data permission
Customize Application permission
Author Apex permission

If you have any of these “keys to the kingdom,” Salesforce expects you to have a higher level of security. This applies to both Agentforce Service and Agentforce Sales environments, ensuring that those who can change the fabric of your org are properly protected.

4. The Deadlines: June 22 and July 1, 2026

The clock isn’t just ticking; it’s practically screaming.

Sandbox Enforcement: Started June 22, 2026.
Production Enforcement: Starts July 1, 2026.

There is no grace period. Once the enforcement hits your instance, if you don’t have a compliant MFA method registered, you will be blocked at the login screen. If you’re in the middle of a massive technology implementation or a quick-start template deployment, the last thing you want is for your entire admin team to be locked out.

Calendar showing the June 22nd and July 1st 2026 deadlines for Salesforce MFA

5. What Qualifies (and What’s Out)

To be compliant, your method must be phishing-resistant. This means it uses asymmetric cryptography tied to the specific domain (salesforce.com).

What Qualifies:

Built-in Authenticators: Touch ID, Face ID, Windows Hello.
Hardware Security Keys: YubiKey, Google Titan.
Cloud-synced Passkeys: As long as they are stored in a FIDO2-compliant manager.

What is OUT:

Salesforce Authenticator push notifications (shocking, we know).
Google Authenticator / Authy (TOTP).
SMS / Email codes.
Voice call codes.

6. The Strategy for Shared Accounts

We know the reality: many partners and consultancies use shared admin accounts (though we always recommend individual ones for audit trails!). If you must share an account, you can’t just share a single passkey like a Netflix password.

The recommended strategy is to store the passkey in a shared password manager vault (like a 1Password Shared Vault). This allows authorized team members to access the passkey and authenticate securely without compromising the phishing-resistant nature of the login.

7. No More “Get Out of Jail Free” Cards

In the past, the “Waive Multi-Factor Authentication for Exempt Users” permission was a handy way to bypass MFA for specific use cases. As of the July 2026 enforcement, this permission no longer auto-exempts users from the phishing-resistant requirement.

Users with this permission will still be prompted to enroll. If you have a legitimate technical reason (like automated testing tools) to waive MFA, you now have to contact Salesforce Support directly for approval.

Need Help Securing Your Org?

Navigating the shift from “standard” Salesforce to the new Agentforce era involves more than just a name change. It requires a fundamental shift in how you handle security, data, and user experience.

At a.CLOUDSTREET, we specialize in making these transitions seamless. While we are known as Experience Cloud and Agentforce Commerce (formerly Commerce Cloud) portal specialists, we provide deep-dive Salesforce strategy for businesses ranging from mid-sized firms to global enterprises.

Our team in Houston, Texas works with clients around the corner and around the world to ensure their Salesforce ROI is maximized while their security remains airtight. Don’t wait until July 1st to find out your admin team is locked out.

Contact us today for a Salesforce Security & Compliance Audit

Abstract illustration of a digital customer portal representing Experience Cloud and Agentforce Commerce

Conclusion

The move toward phishing-resistant MFA is a massive step forward for the security of the Salesforce platform. While it might feel like another hurdle for busy admins, the inclusion of FIDO2-compliant password managers makes it much more manageable. Just remember: it’s not about the tool you use, it’s how you use it.

Switch to passkeys today, and sleep easier tonight.