Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Configure User Authentication
Restrict Where and When Users Can Log In to Salesforce
Restrict Login IP Ranges in the Enhanced Profile User Interface
Restrict Login IP Addresses in the Original Profile User Interface
View and Edit Login Hours in the Enhanced Profile User Interface
View and Edit Login Hours in the Original Profile User Interface
Set Trusted IP Ranges for Your Organization
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Require High-Assurance Session Security for Sensitive Operations
Custom Login Flows
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Multi-Factor Authentication Customizations
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Restrict Where and When Users Can Log In to Salesforce

You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access Salesforce. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the user to log in. These restrictions help protect your data from unauthorized access and phishing attacks.

Login Hours

For each profile, you can set the hours when users can log in. See:

Multi-Factor Authentication for User Interface Logins

For each profile, you can require users to provide an identity verification method in addition to their username and password when they log in via the user interface. (Note that multi-factor authentication was previously called two-factor authentication.) See Enable MFA with Session Security Levels.

Multi-Factor Authentication for API Logins

For each profile, you can require a verification code, also called a time-based one-time password, or TOTP. Users with the Multi-Factor Authentication for API Logins permission use a verification code instead of the standard security token whenever it’s requested, such as when resetting the account’s password. Users must install and register a TOTP authenticator app to generate these verification codes. (Note that multi-factor authentication was previously called two-factor authentication.) See Set Multi-Factor Authentication Login Requirements for API Access.

Login IP Address Ranges

For Enterprise, Performance, Unlimited, Developer, and Database.com editions, you can set the Login IP Range addresses from which users can log in on an individual profile. Users outside the login IP range can’t access your Salesforce org.

For Contact Manager, Group, and Professional Editions, set the Login IP Range. To set the range, from Setup, enter Session Settings in the Quick Find box, then select Session Settings.

Login IP Address Range Enforcement for All Access Requests

You can enforce IP address restrictions for each page request, including requests from client apps. To enable this option, from Setup, enter Session Settings in the Quick Find box, select Session Settings, and then select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.

Org-Wide Trusted IP Ranges

For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge. These users can log in to your org after they provide the additional verification. See Set Trusted IP Ranges for Your Organization.

When users log in to Salesforce via the user interface, the API, or a desktop client such as Salesforce for Outlook, Connect Offline, Connect for Office, or the Data Loader, Salesforce authorizes the login as follows.
  1. Salesforce checks whether the user’s profile has login-hour restrictions. If the user’s profile specifies login-hour restrictions, login attempts outside the specified hours are denied.
  2. If the user has the Multi-Factor Authentication for User Interface Logins permission, the Salesforce login process prompts the user for an identity verification method in addition to their username and password. If the user’s account isn’t already connected to a verification method, such as the Salesforce Authenticator mobile app, Salesforce prompts the user to register a method.
  3. If the user has the Multi-Factor Authentication for API Logins permission and connected an authenticator app to the account, the user must enter a verification code (TOTP) generated by the authenticator app. If the user uses the standard security token, Salesforce returns an error.
  4. Salesforce then checks whether the user’s profile defines IP address range restrictions. If so, logins from outside the IP address range are denied. If the Enforce login IP ranges on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from client apps.
  5. If profile-based IP address restrictions aren’t set, Salesforce checks whether the user is logging in from a device that was previously used to access Salesforce.
    • If the user is logging in from a device and browser that Salesforce recognizes, the login is allowed.
    • If the user is logging in from an IP address on your org’s trusted IP address list, the login is allowed.
    • If the user isn’t logging in from a trusted IP address, device, or browser that Salesforce recognizes, the login is blocked.
Whenever a login is blocked or returns an API login fault, Salesforce verifies the user’s identity.
  • For access via the user interface, the user is prompted to verify using Salesforce Authenticator (version 2 or later) or enter a verification code.

    Users aren’t asked for a verification code the first time they log in to Salesforce.

    Note

  • For access via the API or client app, if the Multi-Factor Authentication on API Logins permission is set on the user profile, users enter a TOTP verification code generated by an authenticator app.

    If the permission isn’t set, users must add their security token to the end of their password to log in. A security token is a generated key from Salesforce. For example, if a user’s password is mypassword and the security token is XXXXXXXXXX, the user enters mypasswordXXXXXXXXXX to log in. Some client apps have a separate field for the security token.

    Users can get their security token by changing their password or resetting their security token via the Salesforce user interface. When a user changes a password or resets a security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until the user resets the security token, changes a password, or has a password reset.

    Before you access Salesforce from a new IP address, we recommend that you get your security token from a trusted network using Reset My Security Token.

    Tip

Tips on Setting Login Restrictions

Consider the following when setting login restrictions.
  • When a user’s password is changed, the security token is reset. Login via the API or a client can be blocked until the user adds the generated security token to the end of the password.
  • Partner Portal and Customer Portal users aren’t required to activate their browser to log in.
  • For more information on API login faults, see the Core Data Types Used in API Calls topic in the SOAP API Developer Guide.
  • If single sign-on (SSO) is enabled, API and desktop client users can log in to Salesforce, unless their profile has IP address restrictions set and they try to log in from outside of the range defined. Also the SSO authority usually handles login lockout policies for users with the Is Single Sign-On Enabled permission. However, if the security token is enabled, your org’s login lockout settings determine how many times users can try to log in with an invalid security token before being locked out.
  • These events count toward the number of times users can try to log in with an invalid password before getting locked out.
    • Each time users are prompted to verify identity
    • Each time users incorrectly add the security token or verification code to the end of their password when logging in to Salesforce via the API or a client