Salesforce Security Changes Are Coming: What Every User Needs to Know
Beginning in June 2026, Salesforce is rolling out new security requirements designed to better protect user accounts and sensitive organizational data.
While many of these changes are being implemented behind the scenes, they will affect how people log in to Salesforce and, in some cases, how they access reports.
If you're not a Salesforce Administrator, you may be wondering: How does this affect me? The good news is that there are only a few key changes to understand, and taking a few simple steps now can help you avoid interruptions later.
Why Is Salesforce Making These Changes?
Cybersecurity threats continue to evolve, and organizations of all sizes are targets for phishing attacks, stolen passwords, and unauthorized access. For nonprofits, foundations, and other mission-driven organizations, protecting donor information, grant data, financial records, and constituent information is critical.
These new security measures are intended to ensure that only authorized users can access sensitive information and that data remains protected even if a password is compromised.
Multi-Factor Authentication (MFA) Is Now a Standard Requirement
One of the biggest changes is the expanded use of Multi-Factor Authentication (MFA) and the enforcement to utilize a phishing-resistant MFA method. It’s no longer just a best practice, it’s a standard.
MFA requires two pieces of information to verify your identity when you log in:
Something you know, such as your username and password.
Something you have, such as a passkey, security key, or an authenticator application on your phone.
For many users, this may simply mean approving a notification on a trusted device or entering a verification code after entering a password.
If your organization already requires MFA, you may notice little or no change. If not, Salesforce will prompt you to register an approved verification method the next time you sign in.
"I Use Single Sign-On. Does This Affect Me?"
Many organizations allow users to sign in through services like Microsoft or Google using Single Sign-On (SSO). Even if you use SSO, you may still be affected by Salesforce's new security requirements.
Your organization will determine how these requirements are implemented. If you have questions about your login experience or available authentication methods, your Salesforce Administrator or IT team is the best resource.
Report Access May Require an Extra Verification Step
Salesforce is also introducing "step-up authentication" for certain sensitive actions, like exporting or printing reports.
Think of step-up authentication as an additional security checkpoint. Even after you've logged in successfully, Salesforce may ask you to verify your identity again before allowing access to data exports.
For example, you might be prompted to use a passkey or another approved verification method before exporting a report containing organizational data.
This extra step helps reduce the risk of unauthorized access if someone gains access to an active session.
What Should You Do Now?
The best way to prepare is to be proactive.
Consider taking these steps:
Register an approved MFA method if you have not already done so.
Verify that your phone number and email address are current in case they are used for identity verification.
Familiarize yourself with your organization's approved authentication methods.
Contact your Salesforce Administrator or IT department if you are unsure how these changes apply to your account.
Waiting until you're prompted during an important meeting or right before a grant deadline is not ideal.
What This Means for Nonprofits and Foundations
For mission-driven organizations, these changes go beyond technology. They help safeguard the information entrusted to you by donors, volunteers, applicants, grantees, and community members.
At the same time, organizations should recognize that stronger security may introduce small changes to everyday workflows. Staff may need to complete additional verification steps, and users who export reports or access sensitive data may notice new prompts.
Planning ahead and communicating these changes to employees can minimize disruption and ensure that security enhancements support, rather than hinder, your mission.
Final Thoughts
Security is becoming an increasingly important part of every Salesforce user's experience, not just the responsibility of administrators or IT teams.
The new MFA and step-up authentication requirements are designed to protect both individuals and organizations from unauthorized access and data loss. While they may add an extra step to certain activities, they also provide an important layer of defense in a world where cyber threats continue to grow.
If you're unsure what these changes mean for you, don't wait until enforcement begins. Reach out to your Salesforce Administrator or your team at ImagineCRM to register your preferred authentication method, and make sure you're ready before the new requirements take effect.
Key dates to be aware of:
June 22nd — MFA enforcement begins for sandboxes
July 1st — MFA enforcement begins for production for Admins
July 20th — MFA enforcement begins for production for all users
Users will now see this banner below when they log into their Salesforce instance. Details about the upcoming changes can be found in the “See What’s Changing” link.
Let's Make Sure You're Prepared
If you're unsure what these changes mean for you, don't wait until enforcement begins. Reach out to your Salesforce Administrator or contact the team at ImagineCRM to register your preferred authentication method and make sure you're ready before the new requirements take effect.
