Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In To Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Create a Login Flow
Connect a Login Flow to a Profile
Set Up Two-Factor Authentication
Set Two-Factor Authentication Login Requirements
Set Two-Factor Authentication Login Requirements for Single Sign-On, Social Sign-On, and Communities
Set Two-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 2 or Later) to Your Account for Identity Verification
Connect a One-Time Password Generator App or Device for Identity Verification
Disconnect Salesforce Authenticator (Version 2 or Later) from a User’s Account
Disconnect a User’s One-Time Password Generator App
Give Users Access to Data
Share Objects and Fields
Platform Encryption
Monitoring Your Organization's Security
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Set Two-Factor Authentication Login Requirements

As a Salesforce administrator, you can require your users to use a mobile authenticator app for two-factor authentication when they log in.
Available in: Both Salesforce Classic and Lightning Experience
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To edit profiles and permission sets: “Manage Profiles and Permission Sets”

You can require two-factor authentication each time a user logs in with a username and password to Salesforce, including orgs with custom domains created using My Domain. To set the requirement, select the “Two-Factor Authentication for User Interface Logins” permission in the user profile (for cloned profiles only) or permission set.

Watch Video Demo Enhancing Security with Two-Factor Authentication

See a demonstration of Two-Factor Authentication for Salesforce, and when to use it.

Walk Through It Walk Through It: Secure Logins with Two-Factor Authentication

Users with the “Two-Factor Authentication for User Interface Logins” permission have to use a mobile authenticator app each time they log in to Salesforce.

You can also use a profile-based policy to set a two-factor authentication requirement for users assigned to a particular profile. Use the profile policy when you want to require two-factor authentication for users of the following authentication methods:

  • SAML for single sign-on
  • Social sign-on in to Salesforce orgs or Communities
  • Username and password authentication into Communities
All Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on through an authentication provider, are supported. In the user profile, set the Session security level required at login field to High Assurance. Then set session security levels in your org’s session settings to apply the policy for particular login methods. Also in your org’s session settings, check the session security levels to make sure that Two-Factor Authentication is in the High Assurance column.

Warning

If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.