Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure Identity Verification Settings for Users
Require High-Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Deploy Third-Party, SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Configure Identity Verification Settings for Users

You can control how and when users are prompted to verify their identity.
Available in: all editions

User Permissions Needed
To modify identity verification settings: Customize Application
  1. In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
  2. Customize the identity verification settings, and then click Save.
    Field Description
    Let users verify their identity by text (SMS) Allows users to receive an identity verification code in a text message. Users must verify their phone number before they can receive identity verification codes by text. This setting is enabled by default for all orgs. A verification code is valid for 24 hours. If the code isn’t used during that time, you can generate a new verification code by reinitializing initSelfRegistration.

    To disable SMS as a method of verification, contact Salesforce support. The email method of identity verification can't be disabled.
    Prevent identity verification by email when other methods are registered Allows users to get verification codes by email only if no other identity method has been verified. Other verification methods include Salesforce Authenticator, SMS, time-based one-time password (TOTP), and physical key (U2F). This setting is enabled by default for all orgs. A verification code is valid for 24 hours. If the code isn’t used during that time, you can generate a new verification code by reinitializing initSelfRegistration.
    Require security tokens for API logins from callouts (API version 31.0 and earlier) Requires the use of security tokens for API logins from callouts in API version 31.0 and earlier. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.
    Let users authenticate with a physical security key (U2F) Permits the use of a U2F security key for two-factor authentication and identity verification. Instead of using Salesforce Authenticator, one-time passwords generated by an authenticator app, or one-time passwords sent by email or SMS, users insert their registered U2F security key into a USB port to complete verification.
    Let users authenticate with a certificate Enables certificate-based authentication to use PEM-encoded X.509 digital certificates to authenticate individual users to your org.
    Require identity verification during two-factor authentication (2FA) registration Requires users to confirm their identities to add a two-factor authentication method, such as Salesforce Authenticator, instead of requiring a relogin as before.
    Require identity verification for email changes

    Requires users to log in again and confirm their identity before their email address change takes effect. Users verify their identity using a registered verification method, such as Salesforce Authenticator, SMS, or email.

    If the user’s verification method is email, the verification code is sent to the user’s previously registered email address rather than the new email address.

    Note
    Require email confirmations for email address changes (applies to external users in Lightning Communities) Requires external users to confirm that they own the new email address. When users change their email address, they receive an email at the new email address with a link. After they click the link, their new email address takes effect. Email confirmations are enabled by default for orgs created in Winter ’20 and later. For orgs created before Winter ’20, Salesforce recommends that you enable this option as a security precaution. This option doesn’t apply to employees.
    Let Salesforce Authenticator automatically verify identities using geolocation Allows Salesforce Authenticator to use the phone's location services to verify a user's identity. If users approve the location, they aren't prompted for their identity when at that location. If the location is not approved, or if users are outside the trusted location, they're prompted to verify their identity.
    Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only Allows Salesforce Authenticator to use trusted IP ranges to verify a user’s identity. When users are located within trusted IP address ranges, they aren't prompted to verify their identity. If users are outside the trusted IP address range, they're prompted to verify their identity.

These identity verification settings are also available on the Session Settings page. You can change the settings in either location.