Skip Navigation
Show nav
Heroku Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
View categories

Categories

  • Heroku Architecture
    • Dynos (app containers)
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Command Line
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery
    • Continuous Integration
  • Language Support
    • Node.js
    • Ruby
      • Working with Bundler
      • Rails Support
    • Python
      • Working with Django
      • Background Jobs in Python
    • Java
      • Working with Maven
      • Java Database Operations
      • Working with the Play Framework
      • Java Advanced Topics
      • Working with Spring Boot
    • PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
    • Heroku Redis
    • Apache Kafka on Heroku
    • Other Data Stores
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
    • Compliance
  • Heroku Enterprise
    • Private Spaces
      • Infrastructure Networking
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
    • Single Sign-on (SSO)
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Security
  • Identities & Authentication
  • Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

English — 日本語に切り替える

Last updated March 14, 2022

Table of Contents

  • Quick Start
  • What is MFA
  • Enabling MFA and Registering Verification Methods
  • Log In with MFA
  • MFA Verification Methods
  • Managing Verification Methods
  • Session Lengths for MFA-Enabled Users

Multi-factor authentication (MFA) is an effective way to increase protection for your account against common threats like phishing attacks, credential stuffing, and account takeovers.

All customers must enable MFA in order to access Salesforce products. If you have SSO enabled for Heroku, enable MFA at your SSO provider instead of following the steps in this article for enabling Heroku MFA. Read more.

Quick Start

If you are already familiar with MFA, follow these quick steps to enable MFA:

  • Select your preferred MFA verification method:
    • Salesforce Authenticator or a third-party authenticator app installed on your phone OR
    • a portable security key such as Yubikey or Google Titan Key OR
    • a device with a built-in authenticator such as Touch ID or Windows Hello
  • Start at Account Settings, select Setup Multi-Factor Authentication and follow the prompts

You are done!

We recommend setting up at least one backup verification method to avoid getting locked out if your primary verification method is not available.

Want to know more? Read on.

What is MFA

With MFA, users are required to prove they’re who they say they are by providing two or more pieces of evidence—or factors—when they log in.

One factor is the user’s username and password combination. The requirement for additional factors is satisfied through the use of a verification method that the user has in their possession, such as an authenticator app or security key. Even if hackers steal the user’s password, they can’t log in because they don’t have access to the user’s verification method.

What does this mean for you?

When you log in to Heroku after enabling MFA, you enter your email and password as usual and then complete MFA verification using one of your registered verification methods.

MFA verification can be as simple as tapping a notification on your phone, entering a code from a mobile authenticator app or using your fingerprint.

Enabling MFA and Registering Verification Methods

There are two ways you can enable MFA: from Account Settings or by responding to the MFA enablement reminder on Dashboard. As part of the enablement process, you register at least one MFA verification method.

We strongly recommend registering multiple verification methods so that you can always access your account. For example, if you’re using a mobile authenticator app as your primary verification method, it’s a good idea to also generate temporary recovery codes in case you forget or lose your mobile device.

From Account Settings

  • Start at Account Settings and select Setup Multi-Factor Authentication.

  • Click Add to select a verification method of your choice and follow on-screen instructions. Add Verification Methods

  • Repeat for registering additional verification methods. We highly recommend adding a backup verification method.

  • Click Done to finish.

You will receive an email notification confirming the addition of a new MFA verification method.

MFA Enablement Reminder

Heroku will occasionally remind you to enable MFA by displaying a reminder on Dashboard. You can enable MFA by clicking Continue on the reminder screen and selecting a verification method.

With this option, you can register only Salesforce Authenticator or a Third-party Authenticator Apps as a verification method.

Don’t forget to add a secondary verification method later through Account Settings.

Log In with MFA

When logging in to Heroku Dashboard after MFA is enabled, you enter your username and password as usual. You are then prompted to complete MFA verification using a registered verification method. For example, you receive a notification on your phone if you’re using Salesforce Authenticator as your method. You tap on the notification and approve in the app to complete logging in. When you have multiple verification methods registered, you can pick the verification method that you want to use.

Logging in to Heroku CLI after MFA is enabled requires you to open a browser and log in to Dashboard first. The --interactive option cannot be used due to technical dependency on web browsers for MFA verification.

MFA Verification Methods

You can use any (or even all!) of the following MFA verification methods.

  • Salesforce Authenticator - a mobile app from Salesforce for secure, fast and frictionless MFA via push notifications
  • Third-party Authenticator Apps - Google Authenticator or similar third-party authenticator apps
  • Security Key - a physical security key such as Yubikey or Google Titan Key
  • Built-in Authenticator - built-in verification via an operating system’s biometric service, such as Windows Hello or Touch ID
  • Recovery Codes - a set of one-time use codes that a user can generate for backup purposes, when other verification methods are not available
  • SMS (deprecated) - a phone that can receive text messages via SMS. This option is available until November 2021 only for users that had 2FA enabled prior to January 2021 and had a mobile number configured as a backup. Read More

Managing Verification Methods

We strongly recommend registering multiple verification methods. For adding or removing verification methods:

  • Start at Account Settings and select Manage Multi-Factor Authentication.
  • To add a verification method, click Add for the verification method of your choice, and follow on-screen instructions.
  • To delete a verification method, click the Trash icon and confirm.
  • Click Done to finish.

See MFA Verification Methods for additional information about each verification method.

Session Lengths for MFA-Enabled Users

For security reasons, users can stay logged into the Heroku Dashboard for a limited time. The default web session length is 24 hours. Sessions automatically extend up to 10 days if there is activity on your Dashboard session within a 24-hour period.

The default session length for the Heroku CLI is 30 days.

Keep reading

  • Identities & Authentication

Feedback

Log in to submit feedback.

Two-Factor Authentication (deprecated) Recovery Codes

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Podcasts
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing

Subscribe to our monthly newsletter

Your email address:

  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Heroku Podcasts
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Facebook
  • Instagram
  • Github
  • LinkedIn
  • YouTube
Heroku is acompany

 © Salesforce.com

  • heroku.com
  • Terms of Service
  • Privacy
  • Cookies
  • Cookie Preferences