Salesforce Passkeys: Admin Guide to User Requirements

Salesforce is enhancing security by requiring passkeys for administrators and users with specific elevated permissions. This change, with a production rollout starting July 1, 2026, aims to mitigate risks like "push bombing" attacks by requiring physical presence at the device during login.

Background

The security landscape is constantly evolving, and Salesforce is adapting to new threats. Traditional multi-factor authentication (MFA) methods can be vulnerable to attacks where multiple login requests are sent to a user's device. Passkeys, which utilize device biometrics (like Touch ID or Windows Hello) or hardware security keys (e.g., YubiKey), provide a stronger assurance of physical user presence.

Key Dates

• Sandbox Rollout: Begins June 22, 2026, and lasts seven days.
• Production Rollout: Begins July 1, 2026, and lasts 30 days.

Who is Affected?

Salesforce is making passkeys mandatory for:

• Users with administrator-level access.
• Users with permissions such as Modify All Data, View All Data, Customize Application, or Author Apex.

It's crucial to inspect your Profiles and Permission Sets to identify all affected users, especially in organizations that might have historically granted broad data visibility.

Identifying Affected Users with SOQL

To efficiently identify users with the relevant permissions, leverage the following SOQL query:

SELECT
    Assignee.Id,
    Assignee.Name,
    Assignee.Email,
    Assignee.Username,
    Assignee.IsActive,
    PermissionSet.Name,
    PermissionSet.Profile.Name,
    PermissionSet.PermissionsModifyAllData,
    PermissionSet.PermissionsViewAllData,
    PermissionSet.PermissionsCustomizeApplication,
    PermissionSet.PermissionsAuthorApex
FROM
    PermissionSetAssignment
WHERE
    Assignee.IsActive = TRUE
    AND (
        PermissionSet.PermissionsModifyAllData = TRUE
        OR PermissionSet.PermissionsViewAllData = TRUE
        OR PermissionSet.PermissionsCustomizeApplication = TRUE
        OR PermissionSet.PermissionsAuthorApex = TRUE
    )

This query returns all active users assigned to permission sets that include the specified elevated permissions, regardless of whether these permissions are in a Profile or a Permission Set.

Passkey Options

Users will have choices regarding their passkey implementation:

• Passkeys: Tied to a device (PC, Mac, mobile app) using biometrics.
  • Advantage: Free.
  • Disadvantage: Requires cloud backup to avoid login issues if the primary device is unavailable. Be cautious about relying solely on password managers if they don't meet Salesforce's current security criteria.
• Security Keys (Hardware Tokens): Physical USB devices.
  • Advantages: Device-agnostic, ideal for users who switch devices or don't always carry a laptop.
  • Disadvantages: An additional item to carry and a recurring cost per user (approximately $35 USD).
• Both: Recommended for users with multiple devices or those who prefer backup options.

Implementation Steps

Administrator Setup

1. Navigate to Setup > Identity > Identity Verification.
2. Check the boxes for:
   • "Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello."
   • "Let users verify their identity with a physical security key (U2F or WebAuthn)"
   • (Optional) "Allow passwordless login with passkeys" (skips MFA code entry).
3. Click Save.

User Registration

Each affected user must then:

1. Go to their Settings.
2. Navigate to Advanced User Details.
3. In the Built-in Authenticators related list, click Register.
4. Follow the prompts, assigning a descriptive name to the authenticator (e.g., "Work Laptop - Dell XPS").
5. Important: If using a password manager for passkey storage, ensure it meets Salesforce's security requirements. It's recommended to register your native device authenticator (like Windows Hello) before your password manager.
6. To add a secondary authenticator (e.g., for a different device), repeat steps 3-5.

To test, log in using a different browser and verify that you are prompted for your passkey.

Managing Access and Rollout Considerations

• Administrator Lockout: Ensure at least one other Salesforce Administrator can unlock your account. If locked out, contact Salesforce Support for a one-time code login, though this process may not be immediate.
• "Login As" Feature: Administrators using the "Login As" feature must also set up passkeys.
• Multiple Devices: For users needing access on multiple PCs without shared passkey information or hardware tokens, register additional authenticators. You can link mobile devices by scanning a QR code presented during registration.
• Rollout Planning: Coordinate with users, as mass registration will require time and communication. Consider implementing checks to ensure users have added their authenticators.

Key Takeaways

• Salesforce passkey adoption is mandatory for admins and users with elevated permissions from July 2026.
• Identify affected users via SOQL queries targeting specific permissions like View All Data or Modify All Data.
• Users can choose between device-bound passkeys (biometrics) or hardware security keys.
• Implement passkey setup through Setup > Identity > Identity Verification, followed by individual user registration under Advanced User Details.
• Plan the rollout carefully, ensuring administrator access and user compliance.