Securing Salesforce account with Token2 Security keys

Follow the instructions below to protect your Salesforce Account with Token2 FIDO Security keys. If you do not have a FIDO key, or you cannot use a USB port, or this option is not enabled for your organization, you can still use a hardware token to protect your Salesforce account. See our instructions here to learn how to use Token2 programmable TOTP tokens to protect your account.


  • Admin access to enable security keys for the Salesforce organization (not required if security keys are already enabled)
  • Modern browser supporting security keys
  • A Token2 FIDO security key; both first generation (U2F) or second generation (FIDO2) can be used

Enable security key in your Salesforce org

⚠ Admin access is required for this operation. If this setting is already active you can skip this section.

Login to your Salesforce org using an administrative account, select Setup an then navigate to Settings ⟶ Security ⟶ Session Settings .
Securing Salesforce account with Token2 Security keys

In the Session Settings page, enable 'Let users verify their identity with a physical security key (U2F)' option and save the changes.

Securing Salesforce account with Token2 Security keys

Please note that these settings are also located in Identity Verification section. You can change these settings in either location. The visual appearance of the settings page may be different depending on your org settings.

Registering a security key for user accounts

After the Salesforce admin has allowed the use of Universal Second Factor (U2F) security keys, users can enroll their  own security key to connect it to their accounts. Anytime a user is challenged to verify the identity, including multifactor authentication (MFA) and device activations, he/she can insert the enrolled security key into the appropriate port on the computer or mobile device to complete the verification. 

Users can register the same security key with multiple service providers (such as Google or Github) and multiple Salesforce orgs and accounts. It is recommended to register at least 2 security keys (to have a backup in case the primary key is lost, stolen or damaged)

  • Have your U2F-compliant security key in hand so that you’re ready to insert it when prompted. If you wait too long, your registration attempt can time out.
  • Click on your user avatar (right top corner) and select Settings
    Securing Salesforce account with Token2 Security keys

  • From the user settings page, click on 'Advanced User Details', then on the right window, find Security key (U2F) 

    Securing Salesforce account with Token2 Security keys

  • Click Register next to the Security Key (U2F) field. If you don’t see this option, your Salesforce admin has disallowed the use of security keys (refer to the previous section)
  • For security purposes, you’re prompted to log in to your account.
  • At the prompt, insert your security key into the appropriate port on your computer or mobile device. If it has a button, touch the button.

    Securing Salesforce account with Token2 Security keys

  • After successful registration, click Continue to dismiss the confirmation message.
    Securing Salesforce account with Token2 Security keys
  • To help keep your account secure, Salesforce will send an email notification after successful registration

Now the account ready to use this identity verification method. When Salesforce prompts you for your U2F security key, insert it, and touch the button if it has a button. The security key generates the required credentials, and the browser passes them on to Salesforce to complete the verification.

09/12/2021 - There seems to be a technical issue with using this functionality under mobile browsers. This is not a platform nor browser restriction, but more the issue with the login and enrollment scripts at the Salesforce side. This was reported and should be resolved soon.

order security keys