| Activity |
- Type
- picklist
- Properties
- Nillable, Restricted Picklist
- Description
- The action the user attempted that requires identity
verification. Possible values include:
- AccessReports—The user
attempted to access reports or
dashboards.
- Apex—The user
attempted to access a Salesforce resource with a
verification Apex method.
- ChangeEmail—The user
attempted to change an email address.
- ConnectSms—The user attempted to connect a phone
number.
- ConnectToopher—The user
attempted to connect Salesforce
Authenticator.
- ConnectTotp—The
user attempted to connect a one-time password
generator.
- ConnectU2F—The
user attempted to register a U2F security
key.
- ConnectedApp—The user attempted to access a connected
app.
- EnableLL—The
user attempted to enroll in Lightning
Login.
- ExportPrintReports—The user
attempted to export or print reports or
dashboards.
- ExtraVerification—ExtraVerification—Reserved for future
use.
- ListView—The
user attempted to access a list view.
- Login—The user
attempted to log in.
- Registration—Reserved for future use.
- TempCode—The
user attempted to generate a temporary
verification code.
|
| City |
- Type
- string
- Properties
- Nillable
- Description
- The city where the user’s IP address is physically
located. This value isn’t localized.
Due to the
nature of geolocation technology, the accuracy of
this field can vary.
|
| Country |
- Type
- string
- Properties
- Nillable
- Description
- The country where the user’s IP address is physically located. This value isn’t
localized.
Due to the nature of geolocation
technology, the accuracy of this field can vary.
|
| CountryIso |
- Type
- string
- Properties
- Nillable
- Description
- The ISO 3166 code for the country where the user’s IP
address is physically located. For more information, see
Country Codes - ISO
3166.
|
| CreatedDate |
- Type
- datetime
- Properties
- DefaultedOnCreate
- Description
- The date and time when identity verification first
prompts users to verify their identity.
|
| EventDate |
- Type
- datetime
- Properties
- Filter, Sort
- Description
- The date and time of the identity
verification attempt, for example, 7/19/2025, 3:19:13 PM
PDT. The time zone is based on GMT.
|
| EventGroup |
- Type
- string
- Properties
- Nillable
- Description
- ID of the verification
attempt. Verification can involve several attempts
and use different verification methods. For example,
in a user’s session, a user enters an invalid
verification code (first attempt). The user then
enters the correct code and successfully verifies
identity (second attempt). Both attempts are part of
a single verification and, therefore, have the same
ID.
|
| EventIdentifier |
- Type
- string
- Properties
- Filter, Sort
- Description
- The unique identifier of the
IdentityVerificationEvent.
|
| Latitude |
- Type
- double
- Properties
- Nillable
- Description
- The latitude where the user’s IP address is physically
located.
Due to the nature of geolocation
technology, the accuracy of this field can vary.
|
| LoginHistoryId |
- Type
- reference
- Properties
- Nillable
- Description
- Tracks a user session so that you can correlate user
activity with a particular login instance.
|
| LoginKey |
- Type
- string
- Properties
- Nillable
- Description
- The string that ties together all events in a given user’s
login session. The session starts with a login event and ends with either a
logout event or the user session expiring.
|
| Longitude |
- Type
- double
- Properties
- Nillable
- Description
- The longitude where the user’s IP address is physically
located.
Due to the nature of geolocation
technology, the accuracy of this field can vary.
|
| Policy |
- Type
- picklist
- Properties
- Nillable, Restricted Picklist
- Description
- The identity verification
security policy or setting.
-
CustomApex—Identity verification made by a verification Apex
method.
-
DeviceActivation—Identity
verification required for users logging in from an
unrecognized device or new IP address. This
verification is part of Salesforce’s risk-based
authentication.
-
EnableLightningLogin— Identity
verification required for users enrolling in
Lightning Login. This verification is triggered
when the user attempts to enroll. Users are
eligible to enroll if they have the Lightning
Login User user permission and the org has enabled
Allow Lightning Login in Session
Settings.
-
ExtraVerification—Reserved
for future use.
-
HighAssurance—High assurance
session required for resource access. This
verification is triggered when the user tries to
access a resource, such as a connected app,
report, or dashboard that requires a
high-assurance session level.
-
LightningLogin—Identity
verification required for internal users logging
in via Lightning Login. This verification is
triggered when the enrolled user attempts to log
in. Users are eligible to log in if they have the
Lightning Login User user permission and have
successfully enrolled in Lightning Login. Also,
from Session Settings in Setup, Allow Lightning
Login must be enabled.
-
PageAccess—Identity verification required for
users attempting to perform an action, such as
changing an email address or adding a verification
method for multi-factor authentication
(MFA).
-
Passwordless
Login—Identity
verification required for external users
attempting to log in to a community that is set up
for passwordless login. The admin controls which
registered verification methods can be used, for
example, email, SMS, Salesforce Authenticator, or
TOTP.
-
ProfilePolicy—Session
security level required at login. This
verification is triggered by the Session security
level required at login setting on the user’s
profile.
-
TwoFactorAuthentication—Multi-factor authentication
(formerly called two-factor authentication)
required at login. This verification is triggered
by the Multi-Factor Authentication for User
Interface Logins user permission assigned to a
custom profile. Or the user permission is included
in a permission set that is assigned to a
user.
|
| PostalCode |
- Type
- string
- Properties
- Nillable
- Description
- The postal code where the user’s IP address is
physically located. This value isn’t localized.
Due
to the nature of geolocation technology, the
accuracy of this field can vary.
|
| Remarks |
- Type
- string
- Properties
- Nillable
- Description
-
The text users see on the
page or in Salesforce Authenticator when prompted to
verify their identity. For example, if identity
verification is required for users to log in, they
see “You’re trying to Log In to Salesforce.” In
this case, the Remarks value is “Log In to Salesforce.”
But if the Activity value is Apex, the Remarks value is
a custom description specified in the Apex method. If
users are verifying their identity using Salesforce
Authenticator, the custom description also appears in
the app. If the custom description isn’t specified, the
Remarks value is the name of the Apex method. The label
is Activity Message.
|
| ResourceId |
- Type
- reference
- Properties
- Nillable
- Description
- If the
Activity value is
ConnectedApp, the ResourceId
value is the ID of the connected app. The label is
Connected App ID.
|
| SessionKey |
- Type
- string
- Properties
- Nillable
- Description
- The user’s unique session ID. Use this value to identify
all user events within a session. When a user logs out and logs in again, a new
session is started.
|
| SessionLevel |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- Session-level security controls user access to features
that support it, such as connected apps and reporting.
Possible values are:
-
HIGH_ASSURANCE—Used for resource
access. For example, when the user tries to access
a resource such as a connected app, report, or
dashboard that requires a high-assurance session
level.
-
LOW—Indicates that the user’s security
level for the current session meets the lowest
requirements.
This low level is not
available or used in the Salesforce UI. User
sessions through the UI are either standard or
high assurance. You can set this level using the
API, but users assigned this level experience
unpredictable and reduced functionality in their
Salesforce org.
-
STANDARD—Indicates that the
user’s security level for the current session
meets the Standard requirements set in the org’s
Session Security Levels.
|
| SourceIp |
- Type
- string
- Properties
- Nillable
- Description
- The IP address of the machine from
which the user attempted the action that requires
identity verification. For example, the IP address
of the machine from where the user tried to log in
or access reports. If it’s a non-login action that
required verification, the IP address can be
different from the address from where the user
logged in. This address can be an IPv4 or IPv6
address.
|
| Status |
- Type
- picklist
- Properties
- Nillable, Restricted Picklist
- Description
- The status of the identity
verification attempt.
- AutomatedSuccess—Salesforce
approved the request for access because the
request came from a trusted location. After a user
enables location services in Salesforce, the user
can designate trusted locations. When the user
trusts a location for a particular activity, such
as logging in from a recognized device, that
activity is approved from the trusted location for
as long as the location is trusted.
- Denied—The user
denied the approval request in the authenticator
app.
- FailedGeneralError—An error caused by
something other than an invalid verification code,
too many verification attempts, or authenticator
app connectivity.
- FailedInvalidCode—The user entered an
invalid verification code.
- FailedInvalidPassword—The user
entered an invalid password.
- FailedPasswordLockout—The user
attempted to enter a password too many
times.
- FailedTooManyAttempts—The user attempted
to verify identity too many times. For example,
the user entered an invalid verification code
repeatedly.
- InProgress—Salesforce challenged the user to verify identity
and is waiting for either the user to respond or
for Salesforce to send an automated
response.
- Initiated—Salesforce initiated identity verification but
hasn’t yet challenged the user.
- ReportedDenied—The user denied the
approval request in the authenticator app, such as
Salesforce Authenticator, and also flagged the
approval request to report to an
administrator.
- Succeeded—The
user’s identity was verified.
|
| Subdivision |
- Type
- string
- Properties
- Nillable
- Description
- The name of the subdivision where the user’s IP address
is physically located. In the United States, this value
is usually the state name (for example, Pennsylvania).
This value isn’t localized.
Due to the nature of
geolocation technology, the accuracy of this field
can vary.
|
| UserId |
- Type
- reference
- Properties
- Filter, Group, Sort
- Description
- ID of the user verifying identity.
|
| Username |
- Type
- string
- Properties
- Nillable
- Description
- The username of the user challenged for identity
verification in user@company.com
format.
|
| VerificationMethod |
- Type
- picklist
- Properties
- Nillable, Restricted picklist
- Description
- The method by which the user
attempted to verify identity in the verification
event.
- Email—Salesforce sent
an email with a verification code to the address
associated with the user’s account.
- EnableLL—Salesforce
Authenticator sent a notification to the user’s
mobile device to enroll in Lightning
Login.
- LL—Salesforce
Authenticator sent a notification to the user’s
mobile device to approve login via Lightning
Login.
- Password—Salesforce
prompted for a password.
- SalesforceAuthenticator—Salesforce
Authenticator sent a notification to the user’s
mobile device to verify account
activity.
- Sms—Salesforce sent a
text message with a verification code to the
user’s mobile device. SMS messaging requires a
Salesforce add-on license for Identity
Verification Credits.
- TempCode—A Salesforce admin or a user with the Manage
Multi-Factor Authentication in User Interface
permission generated a temporary verification code
for the user.
- Totp—An authenticator
app generated a time-based, one-time password
(TOTP) on the user’s mobile device.
- U2F—A U2F security key-generated required credentials for the user.
|
j