Security Implementation Guide

Security Overview
Securing and Sharing Data
Configuring Salesforce Security Features
Setting Password Policies
Expiring Passwords
Set Trusted IP Ranges for Your Organization
Modify Session Security Settings
About Salesforce Two-Factor Authentication
Set Two-Factor Authentication Login Requirements
Use Two-Factor Authentication for API Access
Adding a Time-Based Token Device or App
Removing or Resetting a User’s Time-Based Token Device or App
Enabling Single Sign-On
Monitoring Your Organization's Security
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

About Salesforce Two-Factor Authentication

Administrators can enhance security by requiring a second level of authentication on every login, called “two-factor authentication” (2FA). You can also require two-factor authentication when a user meets certain criteria, such as viewing reports or logging in from an unrecognized IP address.
Available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Basic Identity Confirmation

When a user logs in, Salesforce considers a user’s geographic location and browser. If they are not recognized, Salesforce prompts the user to verify their identity, typically by sending a verification code in email or text message to the user’s registered mobile device. The user enters the code as a secondary verification of their identity. After they are verified, the user does not need to provide this information again, unless they log in from a browser or location that is not verified by Salesforce.

How Two-Factor Authentication Works

For stronger identity confirmation, you can require a second level of authentication on every login, or every login through the API (for developers and client applications), or for access to specific features. Two-factor authentication leverages an authentication service, such as the Salesforce authenticator app, the Google Authenticator app, or another supported authentication service. The service provides a code, called the “time-based one-time password” (TOTP) or “time-based token”, which users specify (in addition to their password) when they log in.

Administrators enable two-factor authentication through permissions. Users add the authenticator service’s time-based token app or device through their own personal settings.

Configuring Two-Factor Authentication

Administrators customize the circumstances that prompt users for a second factor of authentication in the following ways.
  • Require it for every login. Set the two-factor login requirement for every time the user logs in to Salesforce. You can also enable this feature for API logins. For more information, see Set Two-Factor Authentication Login Requirements or Use Two-Factor Authentication for API Access.
  • Use “stepped up” authentication (also known as “high assurance” authentication). You might not need two-factor authentication for every user’s login, but if the user tries to use a connected app or access reports, then Salesforce prompts the user to enter a time-based token. For more information, see Session Security Levels.
  • Use login flows. Login flows leverage the Flow Designer and profiles so you can build post-authentication requirements as the user logs in, including custom two-factor authentication processes. For more information, see the following examples.

Users need to associate an authenticator app, which generates the time-based token, with their Salesforce accounts. For more information, see Adding a Time-Based Token.