Salesforce phishing-resistant MFA enforcement
From 1 July 2026, Salesforce is enforcing phishing-resistant MFA for all privileged users. This page explains whether you need to take any action for your MoveData integration.
Your MoveData integration is not affected.
MoveData authenticates to Salesforce using JWT Bearer tokens, which are unaffected by phishing-resistant MFA enforcement. No re-authorisation or configuration changes are required.
What changed#
Salesforce is requiring privileged users to authenticate using a phishing-resistant MFA method, such as:
- A physical security key (FIDO2/WebAuthn)
- A platform authenticator built into the device (e.g. Touch ID, Windows Hello)
- A passkey
Traditional MFA methods like one-time codes from an authenticator app, SMS, and email are no longer accepted for privileged users.
Impact on your MoveData integration#
None. MoveData connects to Salesforce using the JWT Bearer flow, a server-to-server authentication flow that does not involve an interactive user login.
Because no user is logging in when MoveData runs an integration, MFA — including phishing-resistant MFA — does not apply.
| Authentication flow | Used by | Affected by MFA enforcement? |
|---|---|---|
| JWT Bearer | MoveData integration | No |
| OAuth Web Server | Interactive user logins | Yes |
Impact on your Salesforce users#
The enforcement applies to your direct user logins to Salesforce, including the user that authorised MoveData and any other privileged users in your org. You and your team will need to set up a phishing-resistant MFA method on your own Salesforce user accounts before 1 July 2026.
If the MoveData Authorised User is an account that you invited and is controlled by MoveData, it is also a privileged user and must satisfy the enforcement by 1 July 2026. You have the following options:
If you want to change the authorised user controlled by MoveData, this is an action you can complete yourself:
- Change the authorised user. Re-authorise MoveData under a different Salesforce user that already has phishing-resistant MFA configured. See Change the authorised user for the full process.
If you want to retain the existing authorised user controlled by MoveData, one of the following actions must be completed:
- Switch to a Salesforce Integration user licence. Integration users have no UI login, so phishing-resistant MFA enforcement does not apply to them. See Using a Salesforce Integration User Licence for the full configuration walkthrough.
- Register a passkey on the existing authorised user. A passkey is a phishing-resistant MFA method and satisfies the enforcement without changing the authorised user or its licence. MoveData registers the passkey on the account — no action is required on your side.
Important
MoveData is unable to support other means of MFA on the authorised user. Methods such as one-time codes from an authenticator app, SMS, or email do not meet Salesforce's phishing-resistant MFA requirement and will not be configured.