Multi-Factor Authentication (MFA)

Last updated June 16, 2023

Multi-factor authentication (MFA) is an effective way to increase protection for your account against common threats like phishing attacks, credential stuffing, and account takeovers.

All customers must use MFA to access Salesforce products. If you have SSO enabled for Heroku, you must enforce MFA at your SSO provider. Read more.

What Is MFA?

With MFA, users must prove they’re who they say they are by providing two or more pieces of evidence—or factors—when they log in.

One factor is the user’s username and password combination. The requirement for additional factors is satisfied with a verification method that the user has in their possession, such as an authenticator app or security key. Even if hackers steal the user’s password, they can’t log in because they don’t have access to the user’s verification method.

What does MFA mean for you?

When you log in to Heroku, you enter your email and password as usual and then complete MFA verification using one of your registered verification methods.

MFA verification can be as simple as tapping a notification on your phone, entering a code from a mobile authenticator app, or using your fingerprint.

Registering Verification Methods

You’re prompted to enable MFA upon new account creation. As part of the enablement process, you register at least one MFA verification method. Don’t forget to add a secondary verification method later through Account Settings.

We strongly recommend registering multiple verification methods so that you can always access your account. For example, if you use a mobile authenticator app as your primary verification method, it’s a good idea to also generate temporary recovery codes in case you forget or lose your mobile device.

To Register a Verification Method

  • From Account Settings, select Setup Multi-Factor Authentication.
  • To select a verification method of your choice, click Add, and then follow the on-screen instructions. Add Verification Methods
  • To register additional verification methods, repeat this process. We highly recommend adding a backup verification method.
  • Click Done.

You receive an email notification confirming the addition of a new MFA verification method.

Log In with MFA

When logging in to Heroku Dashboard, you enter your username and password as usual. You’re then prompted to complete MFA verification using a registered verification method. For example, you receive a notification on your phone if you use Salesforce Authenticator as your method. To complete login, you tap on the notification and approve in the app to complete logging in. When you have multiple verification methods registered, you can pick the verification method that you want to use.

Logging in to Heroku CLI requires you to open a browser and log in to Dashboard first. The --interactive option can’t be used due to technical dependency on web browsers for MFA verification.

MFA Verification Methods

You can use any, or all, of these MFA verification methods.

  • Salesforce Authenticator — a mobile app from Salesforce for secure, fast, and frictionless MFA via push notifications
  • Third-party Authenticator AppsGoogle Authenticator or similar third-party authenticator apps
  • Security Key — a physical security key such as Yubikey or Google Titan Key
  • Built-in Authenticator — built-in verification via an operating system’s biometric service, such as Windows Hello or Touch ID
  • Recovery Codes — a set of one-time use codes that a user can generate for backup purposes when other verification methods aren’t available
  • SMS (deprecated) — a phone that can receive text messages via SMS. This option is available until November 2021 for users who had 2FA enabled prior to January 2021 and had a mobile number configured as a backup. Read More.

Managing Verification Methods

We strongly recommend registering multiple verification methods.

To Add or Remove Verification Methods

  • Go to Account Settings, and then select Manage Multi-Factor Authentication.
  • To add a verification method of your choice, click Add, and follow the on-screen instructions.
  • To delete a verification method, click the trash icon and confirm.
  • Click Done.

For additional information about each verification method, see MFA Verification Methods.

Session Lengths

For security reasons, users can stay logged into the Heroku Dashboard for a limited time. The default web session length is 24 hours. If there is activity on your Dashboard session within a 24-hour period, sessions automatically extend up to 10 days.

The default session length for the Heroku CLI is 30 days.

Feedback

Log in to submit feedback.