+ Start a Discussion
msreekmdreammsreekmdream 

Using Two-Factor Authentication for API Access

How does 2 factor work for API access in salesforce? If enabled, how will API generate new tokens every time it expires, unlike humans who can look at authenticator app and add it to password. Documentation (https://help.salesforce.com/HTViewHelpDoc?id=security_require_2fa_api.htm&language=en_US) is not clear.

Also somewhere I read that in advanced user profile you can add a token in Time-Based Token field , but I dont see Add link in user profile , only remove link.  I was assuming that if we add the token in API user one time (from authenticator app_ ,we could use this in API calls.

 
NagaNaga (Salesforce Developers) 
Hi msreekmdream,

For users without 2FA enabled, and for applications using the OAuth web flow for authentication, everything is business as usual. You’ll continue to authenticate with the API just as you always have. (That was easy.)

If you enable 2FA and use Basic Authentication to access the API, we’re providing multiple options to make the flow simple and easy.

Please follow the link below

https://developer.github.com/changes/2013-09-03-two-factor-authentication/

Best Regards
Naga Kiran
msreekmdreammsreekmdream
That link is 2f auth for github! My question was for salesforce.
Jay HartleyJay Hartley
Two years later and I still don't see any actual documentation on how a system is supposed to provide the second factor as part of API calls. I can get my application to use TOTP to generate a token, assuming it's initialized with the key generated when the 2fa is enabled. I just don't see any documentation on how to send that token to verify the login.
Ken Clark 9Ken Clark 9
How do I do it with Multi-Factor Authentication (MFA)?
I was using python simple-salesforce for access, and working fine.  But with MFA I need more than just the username and password.  I am okay with prompting for the Google Authenticator number and typing it in.  (Or using a Yubikey automatically.)
Maybe just another variable name in the function call?
I also do it by doing a REST interaction with username and password to get a "session id".  But again, this is not working with MFA enabled.  How do I include something in the REST API call (add the Google Authenticator six digit number)?