Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure When Users Are Prompted to Verify Identity
Require High-Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Deploy Third-Party, SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Configure When Users Are Prompted to Verify Identity

You can control how and when users are prompted to verify their identity.
Available in: all editions

User Permissions Needed
To modify identity verification settings: Customize Application
  1. In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
  2. Customize the identity verification settings, and then click Save.
    Field Description
    Enable the SMS method of identity confirmation Allows users to receive a one-time password delivered via SMS. If this setting is selected, administrators or users must verify their mobile phone number before taking advantage of this feature. This setting is selected by default for all orgs.
    Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.
    Let users use a physical security key (U2F) Allows users to use a U2F security key for two-factor authentication and identity verification. Instead of using Salesforce Authenticator, one-time passwords generated by an authenticator app, or one-time passwords sent by email or SMS, users insert their registered U2F security key into a USB port to complete verification.
    Let users authenticate with a certificate Enable certificate-based authentication to use PEM-encoded X.509 digital certificates to authenticate individual users to your org.
    Require identity verification during two-factor authentication (2FA) registration Requires users to confirm their identities to add a two-factor authentication method, such as Salesforce Authenticator, instead of requiring a relogin as before.
    Require identity verification for email address changes

    Requires users to log in again and confirm their identity before their email address change takes effect. Users verify their identity using a registered verification method, such as Salesforce Authenticator, SMS text message, or email.

    If the user’s verification method is email, the verification code is sent to the user’s previously registered email address rather than the new email address.

    Note
    Require email confirmations for email address changes (applies to external users in Lightning Communities) Requires external users to confirm that they own the new email address. When users change their email address, they receive an email at the new email address with a link. After they click the link, their new email address takes effect. Email confirmations are enabled by default for orgs created in Winter ’20 and later. For orgs created before Winter ’20, Salesforce recommends that you enable this option as a security precaution. This option doesn’t apply to employees.
    Allow automated location-based verifications with Salesforce Authenticator
    • Allow only from trusted IP addresses
    		 When users are in a trusted location, such as their home or office, they can use the Salesforce Authenticator to automatically verify their identity. You can allow automated verifications from any location, or you can restrict them to only trusted IP addresses, such as your corporate network.

These identity verification settings are also available on the Session Settings page. You can change the settings in either location.