Setting up passkeys for your Salesforce User
Table of Contents
Overview
Starting in July 2026*, Salesforce will enforce stronger security requirements for logging into a Salesforce instance. This affects both sandboxes and production orgs.
| User Type | Requirement |
|---|---|
| Employee Users | Standard MFA: Salesforce Authenticator, TOTP Apps (Google/Microsoft Auth) |
|
Privileged Users and Administrators (including RIO Administrators) |
Phishing-Resistant MFA: Security Keys (WebAuthn), Built-in Authenticators a.k.a. Passkeys (Touch ID, Windows Hello), Admin-Generated Temporary Verification Codes |
*This is gradually being rolled out to organisations throughout the month.
The simplest solution to meet this requirement for your user is to set up passkeys. Passkeys act similarly to 2FA (where you need to approve your login using a code/confirmation from your phone), however, the device used to approve the login (e.g. your phone, which stores the passkey) must physically be in close proximity to the device on which you are attempt to log in (e.g. your PC). To confirm a login's approval, you will typically use a PIN or biometrics (e.g. fingerprint, Face ID).
How to create and use a passkey
You can create passkeys for multiple devices, for example, your phone, your work computer, and your home computer. It is recommended that you create a passkey on your phone first, so that you can use it to authorise your logins on your work/home computers. Then, when logged in to your work computer, you can create a passkey on your work computer itself, which will use Windows Hello to approve your logins on that computer.
Upon logging in as an admin/privileged user, you should be prompted to Register a Passkey.

If this has not appeared, or if you wish to add an additional passkey, you can go to View Profile | Settings | Advanced User Details, scroll down to Built-in Authenticators and click Add.
Passkey stored on a phone
The computer you are using must have Bluetooth support.
Clicking Register Passkey will open this Windows Security prompt. Select iPhone, iPad, or Android device.

Use your mobile device to scan the QR code, and tap Use passkey when it appears.

Save the passkey to your device. It will be stored in your device's password manager (e.g. Google Password Manager, Bitwarden).

You can now use your phone to approve logins to your user. Your phone will need to be in close proximity to the device you are logging in on, as it uses Bluetooth's Nearby Device function to detect the device. The computers you login on must have Bluetooth support. The phone and computer must have Bluetooth turned on, but do not need to be paired.

Now when you login, you will be prompted to Verify Your Identity. Click Verify.

Select iPhone, iPad, or Android device.

Scan the QR code with your phone and tap Use passkey when it appears.


Use your phone's biometrics to approve your login.

Passkey stored on a computer
Clicking Register Passkey will open this Windows Security prompt. Select This Windows device.

Click Continue and enter your Windows Hello PIN.


This will save the passkey to your device. Once this is set up, you will only be able to login from this device, unless you set up passkeys for other devices as well.

When logging in, you will be prompted to Verify Your Identity. Click Verify.

Enter your Windows Hello PIN.

Your login on this device will be approved.
To add an additional passkey (e.g. your phone, to allow logins on other devices), you can go to View Profile | Settings | Advanced User Details, scroll down to Built-in Authenticators and click Add.
