Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Passwords
Cookies
Single Sign-On
My Domain
Two-Factor Authentication
Network-Based Security
CAPTCHA Security for Data Exports
Session Security
Custom Login Flows
Single Sign-On
Connected Apps
Desktop Client Access
Configure User Authentication
Give Users Access to Data
Share Objects and Fields
Platform Encryption
Monitoring Your Organization's Security
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Two-Factor Authentication

As a Salesforce admin, you can enhance your org’s security by requiring a second level of authentication for every user login. You can also require two-factor authentication when a user meets certain criteria, such as attempting to view reports or access a connected app.
Available in: Both Salesforce Classic and Lightning Experience
Available in: Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

Basic Identity Confirmation

When a user logs in, Salesforce considers the user’s device. If it’s not recognized, Salesforce challenges the user to verify identity using the highest-priority verification method available for that user. The following is the order of priority for verification methods.
  1. Verification via push notification or location-based automated verification with the Salesforce Authenticator mobile app connected to the user’s account.
  2. Verification code generated by a mobile authenticator app connected to the user’s account. This type of code is sometimes called a “time-based one-time password.” The code value changes periodically.
  3. Verification code sent via SMS to the user’s verified mobile device. If users don’t have a verified mobile number, they’re prompted to register one when they log in to Salesforce. Registering a mobile phone number verifies it and enables this method when the user is challenged in the future.
  4. Verification code sent via email to the user’s email address. The code expires after 24 hours.
After verification, Salesforce doesn’t have to verify the user’s identity again, unless the user logs in from a new device that Salesforce doesn’t recognize.

Other Applications of Two-Factor Authentication

You can require a second level of authentication on every login, every login through the API (for developers and client applications), or for access to specific features. Your users download and install a mobile authenticator app, such as the Salesforce Authenticator app or the Google Authenticator app, on their mobile device. They connect the app to their account in Salesforce. They use the app whenever your org’s policies require two-factor authentication.

The Salesforce Authenticator mobile app (version 2.0 and later) sends a push notification to the user’s mobile device when activity on the Salesforce account requires identity verification. The user responds on the mobile device to verify or block the activity. The user can enable location services for the app and automate verifications from trusted locations, such as a home or office. Salesforce Authenticator also generates verification codes, sometimes called “time-based one-time passwords” (TOTPs). Users can choose to enter a password plus the code instead of responding to a push notification from the app for two-factor verification. Or they can get a verification code from another authenticator app.