Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Communities
Require High-Assurance Session Security for Sensitive Operations
Custom Login Flows
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Multi-Factor Authentication Considerations
Set Multi-Factor Authentication Login Requirements
Set Multi-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
Verify Your Identity with a TOTP Authenticator App
Disconnect Salesforce Authenticator (Versions 2 and 3) from a User’s Account
Disconnect a User’s TOTP Authenticator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Implement Multi-Factor Authentication with Apex
Delegate Multi-Factor Authentication Management Tasks
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Multi-Factor Authentication Considerations

Before enabling multi-factor authentication (MFA), review these considerations.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions

Multi-factor authentication was formerly called two-factor authentication or 2FA.

Note

Identity verification is an essential user authentication method—so essential that Salesforce provides two types.
  • Service-based—Also known as device activation, service-based authentication is automatically enabled for all orgs. This feature requires a user to provide a verification method when accessing Salesforce from an unrecognized browser or application.
  • Policy-based—Admins enable policy-based multi-factor authentication. It is an admin’s best tool to protect org user accounts. See the following sections for more information.

Org Policies That Require Multi-Factor Authentication

Set policies that require a second level of authentication for every login, logins through the API (for developers and client applications), or access to specific features. Users provide the second factor via a verification method. Users can download and install a mobile authenticator app, such as the Salesforce Authenticator app or the Google Authenticator app, on their mobile device. They can also use a U2F security key. After users register an authenticator app or security key to connect the method with their Salesforce account, they can use the method whenever your org’s policies require MFA.

Two-factor authentication by SMS is a less secure option, and is available to use only with communities, partners, and customers. Contact Salesforce Customer Support to enable.

Note

The Salesforce Authenticator mobile app (version 2 and later) sends a push notification to the user’s mobile device when the Salesforce account requires identity verification or MFA. The user responds on the mobile device to verify or block the activity. The user can enable location services for the app and automate verifications from trusted locations, such as a home or office. Salesforce Authenticator also generates verification codes, also called time-based one-time passwords (TOTPs). Users can choose to enter a password plus the code instead of responding to a push notification from the app for two-factor verification. Or they can get a verification code from another authenticator app.

If users lose or forget the device they usually use for MFA, you can generate a temporary verification code for them. You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code, then generate a new one. Users can expire their own valid codes in their personal settings.

Customize Multi-Factor Authentication

You can customize MFA in the following ways.
  • Require it for every login. Set the MFA login requirement for every time the user logs in to Salesforce. You can also enable this feature for API logins, which includes the use of client applications like the Data Loader. For more information, see Set Multi-Factor Authentication Login Requirements or Set Multi-Factor Authentication Login Requirements for API Access.
  • Use high assurance authentication. Sometimes you don’t need MFA for every user’s login, but you want to secure certain resources. If the user tries to use reports or a connected app, Salesforce prompts the user to verify their identity. For more information, see Session Security Levels.
  • Use profile policies and session settings. First, in the user profile, set Session security level required at login to High Assurance. Then set session security levels in your org’s session settings to apply the policy for particular login methods. In your org’s session settings, review the session security levels to make sure that Multi-Factor Authentication is in the High Assurance column. For more information, see Set Multi-Factor Authentication Login Requirements.

    If Multi-Factor Authentication is in the Standard column, users get an error if they try to log in with a verification method that grants standard-level security.

    Warning

    Only authentication flows that include a user approval step support using API logins with the High Assurance session security level. These flows are the OAuth 2.0 refresh token flow, web server flow, and user-agent flow. All other flows, such as the JSON Web Token (JWT) bearer token flow, don’t include a user approval step. For flows without a user approval step, API logins with the High Assurance session security level are blocked.

    It’s possible that users are prompted to verify their identity with multi-factor authentication twice during the OAuth approval flow. The first challenge occurs in the UI session. The second challenge happens when the access token is bridged into the UI. This second challenge is triggered because the High Assurance session security level isn’t transferred to the access token.

  • Use login flows. Use Flow Builder and profiles to build post-authentication requirements as the user logs in, including custom MFA processes. For more information, see the following examples.