Newer Version Available

This content describes an older version of this product. View Latest

Two-Factor Authentication

Two-factor authentication is the most effective way to protect your org’s user accounts. As a Salesforce admin, amplify your org’s security by requiring a second level of authentication for every user login. You can also require two-factor authentication when a user meets certain criteria, such as attempting to view reports or access a connected app.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

Two-factor authentication is an essential user authentication method—so essential that Salesforce provides two types of two-factor authentication.
  • Service-based—Also known as device activation, service-based two-factor authentication is automatically enabled for all orgs.
  • Policy-based—Admins enable policy-based two-factor authentication. It is an admin’s best tool to protect org user accounts.

For help with configuring two-factor authentication, see the Admin Guide to Two-Factor Authentication and the Trailhead Module Secure Your Users’ Identity.

Org Policies That Require Two-Factor Authentication

Set policies that require a second level of authentication for every login, for logins through the API (for developers and client applications), or for access to specific features. Users provide the second factor by downloading and installing a mobile authenticator app, such as the Salesforce Authenticator app or the Google Authenticator app, on their mobile device. They can also use a U2F security key as the second factor. After users connect an authenticator app or register a security key with their Salesforce account, they can use these authentication methods whenever your org’s policies require two-factor authentication.

The Salesforce Authenticator mobile app (version 2 and later) sends a push notification to the user’s mobile device when the Salesforce account requires identity verification. The user responds on the mobile device to verify or block the activity. The user can enable location services for the app and automate verifications from trusted locations, such as a home or office. Salesforce Authenticator also generates verification codes, sometimes called “time-based one-time passwords” (TOTPs). Users can choose to enter a password plus the code instead of responding to a push notification from the app for two-factor verification. Or they can get a verification code from another authenticator app.

If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.