What do I do if I lost the phone with my Salesforce Authenticator?

Contact your Salesforce administrator immediately. They can disconnect the old device from Setup → Users, then disconnect the Salesforce Authenticator under the user's MFA settings. You can then re-register with a new device.

Why is my TOTP code not working in Salesforce?

TOTP codes are time-sensitive and expire every 30 seconds. Check that your phone's clock is set to automatic. If the code still fails, try the next code that appears. Time drift of even a few seconds can cause rejection.

Can an admin bypass MFA for a specific user?

Admins cannot permanently bypass MFA as it is a Salesforce contractual requirement. However, they can generate a temporary verification code from Setup → Users → the user record → Generate Temporary Verification Code.

Salesforce MFA Troubleshooting

Since February 2022, multi-factor authentication (MFA) has been required for every Salesforce direct UI login. When MFA stops working, you are completely locked out. This guide covers the most common problems and their solutions.

Problem 1: Lost or Broken Phone

If the device with your Salesforce Authenticator app (or third-party TOTP app) is lost, stolen, or broken, you cannot approve the MFA prompt yourself.

What to do:

1 Contact your Salesforce administrator — they are the only person who can restore access.

2 The admin navigates to Setup → Users → [Your User Record].

3 Under the "App Registration: Salesforce Authenticator" section, the admin clicks Disconnect to remove the old device.

4 The admin clicks Generate Temporary Verification Code to create a one-time code that lets you log in.

5 After logging in with the temporary code, Salesforce will prompt you to re-register MFA with your new device.

Temporary Codes Expire

Temporary verification codes are valid for 1–24 hours depending on admin configuration. Use them promptly.

Problem 2: Salesforce Authenticator Not Sending Push Notifications

If you open the Salesforce Authenticator app and nothing appears — no approval prompt — try these fixes in order:

1 Check your internet connection. The Authenticator app requires internet access to receive push notifications. Switch between Wi-Fi and cellular data to test.

2 Force-close and reopen the app. On iOS, swipe up from the app switcher. On Android, clear the app from recents.

3 Ensure notifications are enabled. Go to your phone's Settings → Notifications → Salesforce Authenticator and confirm push notifications are allowed.

4 Retry the login. Go back to the Salesforce login page and click "Send notification again" or re-enter your credentials to trigger a new push.

5 Use the TOTP code instead. In the Salesforce Authenticator app, the 6-digit code shown below the account name works even without internet. Enter it on the Salesforce verification screen.

Problem 3: TOTP Code Rejected

If the 6-digit code from your authenticator app (Salesforce Authenticator, Google Authenticator, Authy, etc.) is rejected:

Check your phone's clock. TOTP codes are time-based and require an accurate system clock. Go to Settings → Date & Time and enable "Set Automatically."
Wait for the next code. Each code is valid for 30 seconds. If you entered it right at the end of the window, wait for the next one.
Verify you are using the right account. If you have multiple Salesforce orgs registered in your authenticator app, make sure you are reading the code for the correct org.

Problem 4: Locked Out and Cannot Reach an Admin

If your admin is unavailable:

Check if your org uses SSO. SSO login bypasses Salesforce-native MFA if the identity provider handles authentication. Try logging in through your company's SSO portal (e.g., Okta dashboard).
Use a backup verification method. If your admin configured a security key (U2F/WebAuthn) or built-in authenticator as a secondary method, try one of those.
Contact Salesforce Support directly. Open a case at help.salesforce.com. Identity verification will be required.

Problem 5: Admin Needs to Reset MFA for a User

If you are a Salesforce admin helping a user:

1 Go to Setup → Users and find the user.

2 Under "App Registration: Salesforce Authenticator," click Disconnect.

3 If the user also registered a TOTP app, go to "App Registration: One-Time Password Generator" and click Disconnect.

4 Click Generate Temporary Verification Code. Set an expiration time (default is 24 hours) and share the code securely with the user.

5 The user logs in with their password plus the temporary code and is prompted to re-register MFA.

Security Best Practice

Deliver temporary codes via a secure channel — a phone call or encrypted message. Never put them in a plain-text email alongside the user's username.

MFA Methods Supported by Salesforce

Method	How It Works	Offline Capable?
Salesforce Authenticator (push)	Tap "Approve" on a push notification	No
Salesforce Authenticator (TOTP)	Enter the 6-digit code shown in the app	Yes
Third-party TOTP app	Enter a code from Google Authenticator, Authy, etc.	Yes
Security key (U2F/WebAuthn)	Tap a physical USB/NFC key	Yes
Built-in authenticator	Use Touch ID, Face ID, or Windows Hello	Yes

Preventing Future MFA Lockouts

Register multiple MFA methods. Add both a TOTP app and a security key so you have a fallback.
Keep backup codes. Some orgs allow admins to generate backup codes — store them in a secure password manager.
Document your admin chain. Know who your Salesforce admins are and how to reach them outside of Salesforce (phone number, Slack, etc.).

Next: Password Reset Without an Admin →

Salesforce MFA Troubleshooting ​

Problem 1: Lost or Broken Phone ​

Problem 2: Salesforce Authenticator Not Sending Push Notifications ​

Problem 3: TOTP Code Rejected ​

Problem 4: Locked Out and Cannot Reach an Admin ​

Problem 5: Admin Needs to Reset MFA for a User ​

MFA Methods Supported by Salesforce ​

Preventing Future MFA Lockouts ​