Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Passwords
Cookies
Single Sign-On
My Domain
Two-Factor Authentication
Network-Based Security
CAPTCHA Security for Data Exports
Session Security
Custom Login Flows
Single Sign-On
Connected Apps
Desktop Client Access
Configure User Authentication
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Two-Factor Authentication

As a Salesforce admin, you can enhance your org’s security by requiring a second level of authentication for every user login. You can also require two-factor authentication when a user meets certain criteria, such as attempting to view reports or access a connected app.
Available in: Both Salesforce Classic and Lightning Experience
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

Salesforce Identity Verification

When a user logs in from outside a trusted IP range and uses a browser or app we don’t recognize, the user is challenged to verify identity. We use the highest-priority verification method available for each user. In order of priority, the methods are:
  1. Verification via push notification or location-based automated verification with the Salesforce Authenticator mobile app (version 2 or later) connected to the user’s account.
  2. Verification via a U2F security key registered with the user’s account.
  3. Verification code generated by a mobile authenticator app connected to the user’s account.
  4. Verification code sent via SMS to the user’s verified mobile phone.
  5. Verification code sent via email to the user’s email address.
After identity verification is successful, the user doesn’t have to verify identity again from that browser or app, unless the user:
  • Manually clears browser cookies, sets the browser to delete cookies, or browses in private or incognito mode
  • Deselects Don’t ask again on the identity verification page

Org Policies That Require Two-Factor Authentication

You can set policies that require a second level of authentication on every login, every login through the API (for developers and client applications), or for access to specific features. Your users can provide the second factor by downloading and installing a mobile authenticator app, such as the Salesforce Authenticator app or the Google Authenticator app, on their mobile device. They can also use a U2F security key as the second factor. After they connect an authenticator app or register a security key with their account in Salesforce, they use them whenever your org’s policies require two-factor authentication.

The Salesforce Authenticator mobile app (version 2 and later) sends a push notification to the user’s mobile device when activity on the Salesforce account requires identity verification. The user responds on the mobile device to verify or block the activity. The user can enable location services for the app and automate verifications from trusted locations, such as a home or office. Salesforce Authenticator also generates verification codes, sometimes called “time-based one-time passwords” (TOTPs). Users can choose to enter a password plus the code instead of responding to a push notification from the app for two-factor verification. Or they can get a verification code from another authenticator app.

If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.