Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure When Users Are Prompted to Verify Identity
Require High-Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Set Two-Factor Authentication Login Requirements
Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities
Set Two-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
Verify Your Identity with a One-Time Password Generator App or Device
Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
Disconnect a User’s One-Time Password Generator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Delegate Two-Factor Authentication Management Tasks
Deploy Third-Party, SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities

Set two-factor authentication login requirements for users with profile policies and session settings. You can apply two-factor authentication requirements to all Salesforce user interface authentication methods. These methods include username and password, delegated authentication, SAML single sign-on, and social sign-on through a third-party authentication provider. You can also apply the two-factor authentication requirement to users in Salesforce orgs and Communities.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To edit profiles and permission sets: Manage Profiles and Permission Sets
To generate a temporary verification code: Manage Two-Factor Authentication in User Interface

Watch a demo: Watch Video Demo Lightning Login Overview (English Only)

To require two-factor authentication for users assigned to a particular profile, edit the Session security level required at login profile setting. Then set your org’s session security levels to apply the policy for particular login methods.

By default, the Session security requirement at login profile setting is None. You can edit a profile’s session settings to change the requirement to High Assurance. When profile users with the High Assurance requirement use a login method that grants standard-level security instead of high assurance, they’re prompted to verify their identity with two-factor authentication. After users authenticate successfully, they’re logged in to Salesforce.

You can edit the security level, either standard or high assurance, assigned to a login method in your org’s session settings.

Users with mobile devices can use the Salesforce Authenticator mobile app or another authenticator app for two-factor authentication. Internal users can connect the app to their account in the Advanced User Details page of their personal settings. If you set the High Assurance requirement on a profile, profile users without the Salesforce Authenticator or another authenticator app are prompted to connect the app to their account. After they connect the app, they’re prompted to use the app to verify their identity.

Users can use registered U2F security keys for two-factor authentication.

Community members with the High Assurance profile requirement are prompted to connect an authenticator app during login.

When two-factor authentication is enabled for a community, admins can’t use the login as feature to access the community. See Create Community Users.

Note

  1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
  2. Select a profile.
  3. Scroll to Session Settings and find the Session security level required at login setting.
  4. Click Edit, and select High Assurance.
  5. Click Save.
  6. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  7. In Session Security Levels, make sure that Two-Factor Authentication is in the High Assurance column.
    If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level security.

    Consider moving Activation to the High Assurance column. With this setting, users who verify their identity from an unrecognized browser or app establish a high-assurance session. When Activation is in the High Assurance column, profile users who verify their identity at login aren’t challenged to verify their identity again.

    Note

  8. Save your changes.

Example

You’ve configured Facebook and LinkedIn as authentication providers in your community. Many of your community members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to increase security by requiring Customer Community Users to use two-factor authentication when they log in with their Facebook account. You want users who log in with their LinkedIn account to be automatically granted High Assurance access and bypass two-factor authentication.
  • In the Customer Community User profile, set the session security level required at login to High Assurance.
  • In your org’s session settings, edit the session security levels.
    • Because you are requiring two-factor authentication with Facebook accounts, make sure that Facebook is in the Standard column.
    • Add Two-Factor Authentication to the High Assurance column. When users log in with their Facebook account, they are required to provide a second authentication factor.
    • Add LinkedIn to the High Assurance column. When users log in with their LinkedIn account, they are granted High Assurance access without needing to provide a second authentication factor.
Session security levels for org in example.

To initiate identity verification under specific conditions, you can use login flows to change the user’s session security level. Login flows let you build a custom post-authentication process that meets your business requirements.

Note

If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.

The High Assurance profile requirement applies to user interface logins. OAuth token exchanges aren’t subject to the requirement. OAuth refresh tokens that were obtained before a High Assurance requirement is set for a profile can still be exchanged for valid API access tokens. Tokens are valid even if they were obtained with a standard-assurance session. To require users to establish a high-assurance session before accessing the API with an external application, revoke existing OAuth tokens for users with that profile. Then set a High Assurance requirement for the profile. Users have to log in with two-factor authentication and reauthorize the application.

Note