| Question | Answer |
| How do you enable 2FA for all users? | “Session Settings” – Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org |
| How do you enable 2FA for selected users? | Using profiles / permission settings |
| How do you skip 2FA for selected users if you have enabled 2FA at the org. level | override for specific users using Waive Multi-Factor Authentication for Exempt Users at profile / permission settings |
| When SMS verification is prompted? | When the user logs in from a new IP / browser and his mobile no. is registered |
| What happens if the user hasn’t validated the mobile no? | OTP sent to the users email address |
| Is SMS or email verification an alternate to MFA | No. They are for different purpose |
| Would SMS or email verification prompted from a trusted IP range if defined | No |
| Can you set rules for approvals in the mobile authenticator? | Yes, IP based rules can be set for auto-approvals provided it is enabled in session settings |
| What happens if the user logs in from an unknown IP and also MFA is enabled | User has to enter the Mobile / Email OTP as well as approve using the authenticator apps. |
| How do you disconnect the user from the authenticator? | You can do it from the user settings so that the user can re-enroll in a new device |
| Is MFA mandatory? | For salesforce to be accountable for your instance security, Salesforce made MFA as mandatory otherwise salesforce may not be accountable for security risks |
Venky's Blog 