Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure Identity Verification Settings for Users
Require High-Assurance Session Security for Sensitive Operations
Create a Login Flow
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Set Up Two-Factor Authentication
Set Two-Factor Authentication Login Requirements
Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities
Set Two-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
Verify Your Identity with a One-Time Password Generator App or Device
Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
Disconnect a User’s One-Time Password Generator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Implement Two-Factor Authentication with Apex
Delegate Two-Factor Authentication Management Tasks
Deploy Third-Party, SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Set Two-Factor Authentication Login Requirements for API Access

Salesforce admins can set the Two-Factor Authentication for API Logins permission to use a second authentication challenge for API access to Salesforce. API access includes the use of applications like the Data Loader and developer tools for customizing an organization or building client applications.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Essentials, Contact Manager, Database.com, Developer, Enterprise, Group, Performance, Professional, and Unlimited Editions

User Permissions Needed
To edit system permissions in profiles: Manage Profiles and Permission Sets
To enable this feature: Two-Factor Authentication for User Interface Logins

The Two-Factor Authentication for User Interface Logins permission is a prerequisite for the Two-Factor Authentication for API Logins permission. Users who have these permissions enabled have to complete two-factor authentication when they log in to Salesforce through the user interface. Users must download and install an authenticator app on their mobile device and connect the app to their Salesforce account. Then they can use verification codes (time-based one-time passwords, or TOTP) from the app for two-factor authentication.

For developer tools that use API logins, log in with a security token or TOTP instead of Salesforce Authenticator when two-factor authentication is enabled for a user.

API Only users can access the UI to register for two-factor authentication only. After a successful registration, API Only users can no longer access the UI.

Note