hardis:org:user:unlink-security-key
Description
Command Behavior
Disconnects MFA registrations (default: Security Key / U2F + WebAuthn) from selected Salesforce users by driving a real browser session against Salesforce Setup.
This command automates the manual admin procedure documented at https://help.salesforce.com/s/articleView?id=xcloud.security_u2f_remove_users_security_key.htm so administrators can revoke a lost or compromised security key for multiple users at once.
Key functionalities:
- User selection: Provide a comma-separated list of usernames via
--usernames. In interactive mode, you will be prompted if the flag is missing. - Method selection (opt-in): Security Key (U2F + WebAuthn combined) is removed by default. Use
--include-salesforce-authenticatoror--include-totpto also disconnect those methods. Use--no-include-security-keyto skip the security-key removal when combining with other methods. - Inactive users are skipped: Inactive users (
IsActive = false) are reported with statusinactiveand no browser action is attempted for them. - Per-user result: Each username receives one of the following statuses:
unlinked,notLinked,notFound,inactive, orerror. - Locale-independent detection: Disconnect links are located by the brand / spec tokens (
U2F,WebAuthn,Salesforce Authenticator,One-Time Password Authenticator,TOTP) that Salesforce does not translate. On non-English orgs, you can extend the matching set with--text-markers. - Reporting: A console table summarises the run, and CSV / XLSX reports are generated for audit trails.
Agent Mode
Supports non-interactive execution with --agent:
sf hardis:org:user:unlink-security-key --agent --usernames 'a@x.com,b@x.com' --target-org my-admin@myorg.com
In agent mode:
- The confirmation prompt is skipped and the unlink procedure starts immediately.
- You must provide
--usernames(the interactive prompt is not available). - Method selection flags default to Security Key only unless you opt in.
Technical explanations
The command's technical implementation involves:
- SOQL Pre-query: Runs
SELECT Id, Username, IsActive, Name FROM User WHERE Username IN (...)to resolve each username to a User Id. Missing rows producenotFound; inactive rows are short-circuited toinactivewithout launching the browser. - Puppeteer automation: Reuses
puppeteer-corewith the chrome path resolved bygetChromeExecutablePath()and logs in to the org viasecur/frontdoor.jsp?sid=<accessToken>, identical to the existinghardis:org:fix:listviewmineflow. - Locale-independent row matching: For each MFA method the command navigates to the user detail page (
/lightning/setup/ManageUsers/page?address=%2F<USER_ID>%3Fnoredirect%3D1%26isUserEntityOverride%3D1), waits for the inner Classic-style iframe, scans rows for a brand / spec marker (U2F,WebAuthn,Salesforce Authenticator,One-Time Password Authenticator,TOTP, etc.) and clicks the single link in that row. URL-basedhrefpatterns are used as a fallback if no row marker is found. - Salesforce labels reference: The verbatim Setup labels are
Security Key (U2F or WebAuthn)(Delete link),App Registration: Salesforce Authenticator(Disconnect),App Registration: One-Time Password Authenticator(Disconnect). - Reporting: Generates CSV and XLSX files (
users-security-key-unlink-<date>) viagenerateReportsand prints a console table viauxLogTable.
Reference: Salesforce Help - Remove a user's security key.
Parameters
| Name | Type | Description | Default | Required | Options |
|---|---|---|---|---|---|
| agent | boolean | Run in non-interactive mode for agents and automation | |||
| debug -d |
boolean | Activate debug mode (more logs) | |||
| dump-anchors | boolean | Diagnostic: print every anchor found on each user detail page (use with --debug to refine markers) | |||
| flags-dir | option | undefined | |||
| include-salesforce-authenticator | boolean | Also unlink the Salesforce Authenticator mobile app registration | |||
| include-security-key | boolean | Unlink the Security Key (U2F + WebAuthn combined) registration (default: true). Use --no-include-security-key to skip. | |||
| include-totp | boolean | Also unlink the One-Time Password Authenticator (TOTP) registration | |||
| json | boolean | Format output as json. | |||
| skipauth | boolean | Skip authentication check when a default username is required | |||
| target-org -o |
option | undefined | |||
| text-markers | option | JSON object adding text markers per method, useful on non-English orgs. Example: --text-markers '{"salesforceAuthenticator":["Authentificateur Salesforce"]}' | |||
| usernames -u |
option | Comma-separated list of Salesforce usernames whose security keys should be unlinked | |||
| websocket | option | Websocket host:port for VsCode SFDX Hardis UI integration |
Examples
$ sf hardis:org:user:unlink-security-key
$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com,b@x.com'
$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --include-salesforce-authenticator --include-totp
$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --no-include-security-key --include-totp
$ sf hardis:org:user:unlink-security-key --agent --usernames 'a@x.com,b@x.com'
$ sf hardis:org:user:unlink-security-key --usernames 'a@x.com' --text-markers '{"salesforceAuthenticator":["Authentificateur Salesforce"]}'