mfa-enforcement-patterns
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
Best use case
mfa-enforcement-patterns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
Teams using mfa-enforcement-patterns should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/mfa-enforcement-patterns/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How mfa-enforcement-patterns Compares
| Feature / Agent | mfa-enforcement-patterns | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Design MFA enforcement: auto-enablement, Salesforce Authenticator rollout, exceptions, service accounts, API-only users, SSO interop, and audit. Trigger keywords: MFA, multi-factor, two-factor, Salesforce Authenticator, MFA exception, MFA SSO, api-only MFA. Does NOT cover: end-user password policies, device-trust posture, or non-Salesforce IdP configuration.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# MFA Enforcement Patterns ## The Baseline Salesforce auto-enables MFA for direct logins. The work is not "turn on MFA" — it is: - Getting SSO users covered at the IdP. - Handling integration / API-only users without breaking jobs. - Managing exception requests so they do not turn permanent. - Rolling out Salesforce Authenticator without a support-desk flood. ## User Population Matrix | Population | MFA Responsibility | Mechanism | |---|---|---| | Standard direct-login user | Salesforce | Salesforce Authenticator / TOTP / security key | | SSO user | IdP (Okta, Azure AD, etc.) | IdP MFA — must meet Salesforce MFA requirement | | Integration user (OAuth) | N/A (token-based) | Connected App with client credentials / JWT | | API-only human | Salesforce | MFA still required unless connected-app-only | | Guest / Experience | Out of scope | — | If a human uses a username/password to call an API, treat them as a standard user for MFA purposes. ## Exception Policy Exceptions are allowed in narrow cases — break-glass accounts, legacy integrations being retired, etc. Every exception must have: - A business justification. - An owner. - An **expiry date**, not "permanent." - A review cadence. Store exceptions in a custom object with required expiry validation. Run a monthly report; auto-notify owners 14 days before expiry. ## SSO Interop If you use SSO, Salesforce delegates MFA enforcement to the IdP, but Salesforce still needs to **know** the login met MFA. Configure the SAML assertion or OpenID claim to reflect the authentication context: - SAML `AuthnContextClassRef` should be an MFA-level context. - OIDC `amr` or `acr` should include the MFA indicator. Without this, Salesforce may believe the login was single-factor even though the IdP did MFA. ## Service Accounts For non-human workloads: - Prefer **Connected App + OAuth 2.0 JWT Bearer Flow** or **Client Credentials Flow**. These do not require MFA (token-based). - For legacy Soap/REST with username/password, plan the migration — MFA-exempted integration users are the most common source of compromise. ## Recommended Workflow 1. Inventory users by type (direct, SSO, integration, API-only). 2. Verify SSO asserts MFA via AuthnContext / amr. 3. Migrate username/password integrations to Connected App + JWT or Client Credentials. 4. Set up an exception object with mandatory expiry. 5. Communicate to users 2-4 weeks before cutover; ship Authenticator setup guidance. 6. Enable MFA; monitor the login error dashboard for failures. 7. Run the monthly exception review. ## Audit - Login History report filtered by `Authentication Method`. - Alert on integration users that suddenly start MFA-failing (likely password use or leaked creds). - Review connected apps quarterly. ## Official Sources Used - MFA Overview — https://help.salesforce.com/s/articleView?id=sf.mfa_require_user_to_login.htm - Connected App OAuth Flows — https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_flows.htm - MFA with SSO — https://help.salesforce.com/s/articleView?id=sf.mfa_with_sso.htm
Related Skills
mfa-enforcement-strategy
Plan and operate Salesforce org-wide multi-factor authentication (MFA) enforcement: verification methods, phased rollout, SSO and API-only considerations, exemptions, and operational readiness. NOT for designing Login Flow post-authentication logic, IP allowlists, or conditional step-up policies—use ip-range-and-login-flow-strategy, network-security-and-trusted-ips, or transaction-security-policies instead.
encrypted-field-query-patterns
Design SOQL, filters, reporting, and indexes against Shield Platform Encryption fields. Trigger keywords: Shield Platform Encryption, encrypted field query, probabilistic vs deterministic encryption, encrypted SOQL filter, encrypted field index. Does NOT cover: Classic Encryption (deprecated), field-level security policy, or tenant secret key rotation.
apex-managed-sharing-patterns
Grant row-level access programmatically via __Share records when declarative sharing rules cannot express the policy. NOT for OWD, role hierarchy, or criteria-based sharing rule design.
omnistudio-testing-patterns
Use when testing or validating OmniStudio components — OmniScript preview, Integration Procedure step debugging, DataRaptor field-mapping validation, and end-to-end UTAM-based automation. NOT for Apex unit testing or standard Flow debugging.
omnistudio-error-handling-patterns
Use when designing fault behavior across Integration Procedures, DataRaptors, OmniScripts, and FlexCards — error routing, user-facing messaging, retry semantics, and idempotency. Triggers: 'omnistudio error', 'integration procedure fault', 'dataraptor error handling', 'omniscript retry', 'flexcard action failure'. NOT for general Apex exception design or Flow fault paths.
omnistudio-ci-cd-patterns
Use when designing or implementing CI/CD pipelines for OmniStudio components — DataPack export/import, versioning, environment promotion, and automated deployment. NOT for standard Salesforce metadata CI/CD or Apex-only pipelines.
omniscript-design-patterns
Use when designing or reviewing OmniScripts for guided experiences, step structure, branching, save/resume, and the boundary between OmniScript, Integration Procedures, DataRaptors, and custom LWCs. Triggers: 'omniscript design', 'too many steps in omniscript', 'save and resume omniscript', 'branching in omniscript', 'when should this be an integration procedure'. NOT for deep Integration Procedure or DataRaptor design when the guided interaction layer is not the main concern.
integration-procedure-cacheable-patterns
Use when designing Integration Procedures (IPs) with platform cache to cut latency and callout load. Covers cache key design, TTL selection, per-user vs org-wide partitions, invalidation on data changes, and safe fallback on cache miss/stale. Does NOT cover general IP authoring (see omnistudio-error-handling-patterns) or LWC client-side caching.
flexcard-design-patterns
Use when designing, building, or reviewing OmniStudio FlexCards — including data source selection, card states, actions, conditional visibility, flyout configuration, and child card iteration. Triggers: 'FlexCard', 'card template', 'flyout', 'card action', 'card state', 'data source', 'child card', 'conditional visibility'. NOT for OmniScript design, standalone LWC development, or Apex controller architecture outside the FlexCard context.
dataraptor-patterns
Use when designing or reviewing OmniStudio DataRaptors, especially Extract versus Turbo Extract versus Transform versus Load, field mapping strategy, performance tradeoffs, and when to move work into Integration Procedures or Apex. Triggers: 'DataRaptor Extract', 'Turbo Extract', 'DataRaptor Load', 'DataRaptor Transform', 'OmniStudio data mapping'. NOT for overall OmniScript journey design or Integration Procedure sequencing when the main question is not the DataRaptor shape itself.
wire-service-patterns
Use when designing or reviewing Lightning Web Components that use `@wire`, Lightning Data Service, UI API, or the GraphQL wire adapter, especially for reactive parameters, cache behavior, and refresh strategy. Triggers: 'wire service', 'refreshApex', 'reactive parameter', 'getRecord', 'wire vs imperative Apex'. NOT for component communication or generic lifecycle issues when data provisioning is not the main concern.
message-channel-patterns
Use when implementing Lightning Message Service (LMS) to enable cross-DOM communication between LWC, Aura, and Visualforce components on the same Lightning page, using message channels. Triggers: 'communicate between unrelated LWC components', 'send data between Visualforce and LWC', 'lightning message service not working', 'APPLICATION_SCOPE vs default scope', 'message channel metadata deployment'. NOT for parent-child component communication (use component-communication) or server-side events.