Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
The Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure When Users Are Prompted to Verify Identity
Require High Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Deploy Third-Party SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Configure When Users Are Prompted to Verify Identity

You can control how and when users are prompted to verify their identity.
Available in: all editions

User Permissions Needed
To modify identity verification settings: Customize Application
  1. In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
  2. Customize the identity verification settings, and then click Save.
    Field Description
    Enable the SMS method of identity confirmation Allows users to receive a one-time password delivered via SMS. If this setting is selected, administrators or users must verify their mobile phone number before taking advantage of this feature. This setting is selected by default for all orgs.
    Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.
    Let users use a security key (U2F) Allows users to use a U2F security key for two-factor authentication and identity verification. Instead of using Salesforce Authenticator, one-time passwords generated by an authenticator app, or one-time passwords sent by email or SMS, users insert their registered U2F security key into a USB port to complete verification.
    Require identity verification during two-factor authentication registration Requires users to confirm their identities to add a two-factor authentication method, such as Salesforce Authenticator, instead of requiring a relogin as before.
    Require identity verification for change of email address

    Requires users to log in again and confirm their identity before the change to their email address is applied. Salesforce asks the user to verify identity using a registered verification method, such as Salesforce Authenticator, SMS text message, or email.

    If the user’s identity verification method is email, the verification code is sent to the user’s previously registered email address rather than the new email address.

    Note
    Allow location-based automated verifications with Salesforce Authenticator
    • Allow only from trusted IP addresses
    		 Allows users to verify identity by automatically approving notifications in Salesforce Authenticator, whenever users are in trusted locations such as a home or office. If you allow automated verifications, you can allow them from any location or restrict them to only trusted IP addresses, such as your corporate network.

These identity verification settings are also available on the Session Settings page. You can change the settings in either location.