Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Communities
Require High-Assurance Session Security for Sensitive Operations
Custom Login Flows
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Multi-Factor Authentication Considerations
Set Multi-Factor Authentication Login Requirements
Set Multi-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
Verify Your Identity with a TOTP Authenticator App
Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
Disconnect a User’s TOTP Authenticator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Implement Multi-Factor Authentication with Apex
Delegate Multi-Factor Authentication Management Tasks
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Implement Multi-Factor Authentication with Apex

To implement your own multi-factor authentication (MFA) process, use Apex methods under the System.UserManagement class. The methods come as a pair for email, phone (SMS), and the Salesforce Authenticator verification methods—one to initiate a verification service, and one to complete the verification service. For password or time-based one-time password (TOTP) verification methods, you can use the second method alone to provide a complete verification service.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

Multi-factor authentication (MFA) was formerly called two-factor authentication or 2FA.

Note

The Apex configuration that you use depends on your verification method.
  • To implement a multi-factor authentication service for email, SMS, and the Salesforce Authenticator verification methods, use initVerificationMethod and verifyVerificationMethod.
  • To implement a multi-factor authentication service for password or TOTP verification methods, use verifyVerificationMethod.

Example

Apex Methods for Multi-Factor Authentication

Here’s example Apex code for multi-factor authentication using email.

1public void initVerification() {
2// user will receive code on their registered verified email 
3 identifier = UserManagement.initVerificationMethod(Auth.VerificationMethod.EMAIL);
4}
5
6public Auth.VerificationResult verifyVerification() {
7// requiring identifier from the initVerification
8// the code will need to be entered in this method
9return UserManagement.verifyVerificationMethod(identifier, code , Auth.VerificationMethod.EMAIL);
10}

Here’s one for SMS.

1public void initVerification() {
2// user will receive code on their registered verified phone
3 identifier = UserManagement.initVerificationMethod(Auth.VerificationMethod.SMS);
4}
5
6public Auth.VerificationResult verifyVerification() {
7// requiring identifier from the initVerification
8// the code will need to be entered in this method
9return UserManagement.verifyVerificationMethod(identifier, code , Auth.VerificationMethod.SMS);
10}

This example shows Apex code for multi-factor authentication using the Salesforce Authenticator.

1public void initVerification() {
2// user will receive push notification on mobile device where the app is registered for MFA
3 identifier = UserManagement.initVerificationMethod(Auth.VerificationMethod.SALESFORCE_AUTHENTICATOR);
4}
5
6public Auth.VerificationResult verifyVerification() {
7// requiring identifier from the initVerification
8// user will need to take the action on the mobile device where the app is registered for MFA
9return UserManagement.verifyVerificationMethod(identifier, '' , Auth.VerificationMethod.SALESFORCE_AUTHENTICATOR);
10}

The next two examples show Apex code for multi-factor authentication using only the verifyVerificationMethod for password and TOTP verifications.

1public Auth.VerificationResult verifyVerification() {
2// user will enter their password as a param in the verifyVerificationMethod for password verification method
3return UserManagement.verifyVerificationMethod('', password , Auth.VerificationMethod.PASSWORD);
4}
1public Auth.VerificationResult verifyVerification() {
2// user will enter their registered time-based one-time password (TOTP) code (token)
3return UserManagement.verifyVerificationMethod('', code , Auth.VerificationMethod.TOTP);
4}