Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Require High-Assurance Session Security for Sensitive Operations
Custom Login Flows
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Multi-Factor Authentication Customizations
Enable MFA with Session Security Levels
Set Multi-Factor Authentication Login Requirements for API Access
Connect Salesforce Authenticator to a Salesforce Account for Identity Verification
Verify Your Identity with a TOTP Authenticator App
Disconnect Salesforce Authenticator from a User’s Account
Disconnect a User’s TOTP Authenticator App
Generate a Temporary Identity Verification Code
Expire a Temporary Verification Code
Implement Multi-Factor Authentication with Apex
Delegate Multi-Factor Authentication Management Tasks
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Verify Your Identity with a TOTP Authenticator App

Register a third-party authenticator app, like Salesforce Authenticator or Google Authenticator, as a verification method for verifying your identity. The app generates a verification code called a time-based one-time password (TOTP).
Available in: Both Salesforce Classic and Lightning Experience
Available in: All Editions

If your company requires multi-factor authentication (MFA) for increased security when you log in or access connected apps, reports, or dashboards, use a code from the app. If MFA is turned on and you haven’t set up a verification method yet, you’re prompted to register one the next time you log in to Salesforce.
  1. Download the supported authenticator app for your device type. You can use any authenticator app that supports the TOTP algorithm (IETF RFC 6238), such as Salesforce Authenticator for iOS, Salesforce Authenticator for Android, or Google Authenticator.
  2. From your personal settings, enter Advanced User Details in the Quick Find box, then select Advanced User Details. No results? Enter Personal Information in the Quick Find box, then select Personal Information.
  3. Find App Registration: One-Time Password Authenticator, and click Connect.
    If you’re connecting an authenticator app other than Salesforce Authenticator, use this setting. If you’re connecting Salesforce Authenticator, use this setting only if you’re using its one-time password generator feature (not the push notifications available in version 2 or later).

    If you’re connecting Salesforce Authenticator so that you can use push notifications, use the App Registration: Salesforce Authenticator setting instead. That setting enables both push notifications and one-time password generation.

    Note

    You can connect up to two authenticator apps to your Salesforce account for one-time password generation: Salesforce Authenticator and one other authenticator app.
  4. For security purposes, you’re prompted to log in to your account.
  5. Using the authenticator app on your mobile device, scan the QR code.
    Alternatively, click I Can’t Scan the QR Code in your browser. The browser displays a security key. In the authenticator app, enter your username and the displayed key.
  6. In Salesforce, enter the code generated by the authenticator app in the Verification Code field.
    The authenticator app generates a new verification code periodically. Enter the current code.
  7. Click Connect.
To help keep your account secure, we send you an email notification whenever a new identity verification method is added to your Salesforce account. You get the email whether you add the method or your Salesforce admin adds it on your behalf.