Multi-factor authentication: MFA_AUTHENTICATION_METHODS parameter deprecation (Preview)

Attention

This behavior change is in the 2025_06 bundle.

For the current status of the bundle, refer to Bundle History.

This behavior change deprecates a parameter of authentication policies and replaces it with a new parameter. The change behaves as follows:

Before the change:

The MFA_AUTHENTICATION_METHODS parameter of an authentication policy specifies a list of authentication methods that enforce multi-factor authentication (MFA) during login.

There are two possible values to the MFA_AUTHENTICATION_METHODS parameter: PASSWORD and SAML.

After the change:

The MFA_AUTHENTICATION_METHODS parameter is deprecated. There is no longer a parameter to specify whether MFA is required for password users who are enrolled in MFA; if a password user is enrolled in MFA, they must use a second factor of authentication.

A new parameter ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION is available in an authentication policy to specify whether MFA is required for single-sign on (SSO) logins. The new parameter has two possible values: ALL and NONE. If ALL is specified, then MFA is enforced for SSO logins when users are enrolled in MFA.

If your existing authentication policy had MFA_AUTHENTICATION_METHODS = 'SAML', then the new ENFORCE_MFA_ON_EXTERNAL_AUTHENTICATION parameter is set to ALL.

This change helps implement a milestone in the deprecation of single-factor password logins. It works in conjunction with another behavior change in this bundle: Multi-factor authentication: MFA_ENROLLMENT parameter values change (Preview).

For detailed information about how the changes in this bundle affect password and SSO authentication for your users based on your current authentication policy, see Upcoming Multi-Factor Authentication (MFA) enforcement for Snowsight logins with single-factor passwords (Knowledge Base article).

Ref: 2086