Multi-Factor Authentication

You’ve probably noticed a pop-up message that appears from the recent times once you login into your Marketing Cloud instance telling you to enable Multi-Factor Authentication aka MFA. Why should you enable it? How to do this? You will get all needed information in this article.

Currently having MFA enabled is optional but will turn mandatory in the near future. So, better get ready.

Security in SFMC 

Let’s take a few steps back before we make a deep dive into MFA and speak about SFMC Security in general. 

Marketers currently work in highly personalized digital marketing landscape and Data Security is a crucial topic, while security comes into responsibility for everyone. Not only the service provider should ensure its solution is secure, but it is also customer’s responsibility to know the security aspects of working with data and being compliant with the recent security standards. 

Marketing Cloud has its own best practices to prevent common security threats such as credential or data loss/theft, phishing attacks, brute force. Amongst those best practices are: 

  • Roles and permissions 
  • Data Encryption (data-in-transit; data-at-rest* (paid add-on feature))
  • Data Retention policies 
  • Content Approval process 
  • SSL Certificates
  • Tenant specific endpoint 
  • SSH File Transfer Protocol
  • IP allow listing 
  • Identity verification (automatically replaced by MFA) 
  • SAML 2.0 SSO (single sign-on) 
  • Audit Trail 
  • Multi-Factor Authentication 
  • Loyal admin 

MFA adds another layer of protection to enhance SFMC login process. A user can successfully login into SFMC instance with passing two-step authentication: providing credentials (username and password), and also by additional verification method. There are in total three of them: 

  1. Salesforce Authenticator mobile app 
  2. Third-Party Authenticator app (TOPT) – Authy, Microsoft Authenticator, Google Authenticator 
  3. Security key (one type) – Yubico’s YubiKey, Google’s Titan Security Key 

Calls, SMS or email verification methods are not allowed for MFA. 


  • Enterprise accounts allow MFA enablement at the top-level account in the tenant. BUs can only view the settings. 
  • SFMC SAML 2.0 SSO is not compatible with MFA, so MFA should be still enabled as an extra safeguard. 
  • Multiple MFA Verification Methods are possible (Salesforce Authenticator + one type of Security Key + one type of TOPT Authenticator App), in case only one method per verification method type is registered. 

MFA Enablement 

Only SFMC Admin could enable MFA.  

First step is to click ‘Get Started’ at the pop-up message which appears after you log in to SFMC instance. 

Marketing Cloud will send a verification code to email address associated with your SFMC user. This code should be pasted in the field and verified.  

Then, you will have a choice of authentication methods available. 

For Salesforce Authenticator: 

  • You need to download and install the app from the Apple Store or Google Play. 
  • In the app select Add an Account option, then a two-word phrase will be displayed. 
  • Click in SFMC to connect the account to SF Authenticator and put the phrase from the app in the displayed field. 
  • Once the request is submitted, both sides should be connected. 
  • Now you can use the app for MFA to approve your logins in SFMC. 

For Security Key: 

  • Connect the Security key to your device and click Register. 
  • Give your security key a name. 
  • Save the setup. 

For Third-Party Authenticator App: 

  • You need to download and install a time-based one-time password (TOTP) authenticator app on your mobile device. 
  • Open the TOTP authenticator app and add an account. 
  • Use the authenticator app to scan the QR barcode that’s displayed on the Connect an Authenticator App screen.  
  • Another option is to manually generate your security key and enter it in the authenticator app. 
  • Enter the key and both sides should be connected. 

You can now log in to your Marketing Cloud account with your password and the value provided by your authentication method. 

All MFA events are logged in SFMC. You can find them in Setup -> Multi-Factor Authentication ->View MFA Events. 

Start using the new MFA Marketing Cloud feature and follow security best practices to build a comprehensive security controls for your marketing platform. 


Official Salesforce MFA Documentation 

Marketing Cloud Security Guide 

Marketing Cloud Security Trailhead 

Spread the love
Avatar photo

Ekaterina Obolenskaya

6x Salesforce certified Marketing Cloud Solution Architect and Developer, named Salesforce Marketing Champion 2020. Ekaterina is recognised as a tech-savvy leader and a real-time optimization expert (Evergage, Thunderhead).