IdentityVerificationEvent

Tracks user identity verification events in your org. IdentityVerificationEvent is a big object that stores the event data when users are prompted to verify their identity. Available in API version 47.0 and later.

Supported Calls

describeSObjects(), query()

Special Access Rules

Accessing this object requires either the Salesforce Shield or Salesforce Event Monitoring add-on subscription as well as the View Real-Time Event Monitoring Data and Manage Multi-Factor Authentication in User Interface permissions.

Event Delivery Allocation Enforced

No

Fields

Field Details
Activity
Type
picklist
Properties
Nillable, Restricted picklist
Description
The action the user attempted that requires identity verification. Possible values include:
  • AccessReports—The user attempted to access reports or dashboards.
  • Apex—The user attempted to access a Salesforce resource with a verification Apex method.
  • ChangeEmail—The user attempted to change an email address.
  • ConnectSms—The user attempted to connect a phone number.
  • ConnectToopher—The user attempted to connect Salesforce Authenticator.
  • ConnectTotp—The user attempted to connect a one-time password generator.
  • ConnectU2F—The user attempted to register a U2F security key.
  • ConnectWebAuthRoaming—The user attempted to register a WebAuthn security key.
  • ConnectedApp—The user attempted to access a connected app.
  • EnableLL—The user attempted to enroll in Lightning Login.
  • ExportPrintReports—The user attempted to export or print reports or dashboards.
  • ExternalClientApp— The user attempted to access an external client app.
  • ExtraVerificationExtraVerification—Reserved for future use.
  • ListView—The user attempted to access a list view.
  • Login—The user attempted to log in.
  • Registration—Reserved for future use.
  • TempCode—The user attempted to generate a temporary verification code.
City
Type
string
Properties
Nillable
Description
The city where the user’s IP address is physically located. This value isn’t localized. Due to the nature of geolocation technology, the accuracy of this field can vary.
Country
Type
string
Properties
Nillable
Description
The country where the user’s IP address is physically located. This value isn’t localized. Due to the nature of geolocation technology, the accuracy of this field can vary.
CountryIso
Type
string
Properties
Nillable
Description
The ISO 3166 code for the country where the user’s IP address is physically located. For more information, see Country Codes - ISO 3166.
EventDate
Type
dateTime
Properties
Filter, Sort
Description
The date and time of the identity verification attempt, for example, 7/19/2025, 3:19:13 PM PDT. The time zone is based on GMT.
EventGroup
Type
string
Properties
Nillable
Description
ID of the verification attempt. Verification can involve several attempts and use different verification methods. For example, in a user’s session, a user enters an invalid verification code (first attempt). The user then enters the correct code and successfully verifies identity (second attempt). Both attempts are part of a single verification and, therefore, have the same ID.
EventIdentifier
Type
string
Properties
Filter, Sort
Description
The unique ID of the event, which is shared with the corresponding storage object. For example, 0a4779b0-0da1-4619-a373-0a36991dff90. Use this field to correlate the event with its storage object.
Latitude
Type
double
Properties
Nillable
Description
The latitude where the user’s IP address is physically located. Due to the nature of geolocation technology, the accuracy of this field can vary.
LoginHistoryId
Type
reference
Properties
Nillable
Description
Tracks a user session so that you can correlate user activity with a particular login instance.
LoginKey
Type
string
Properties
Nillable
Description
The string that ties together all events in a given user’s login session. The session starts with a login event and ends with either a logout event or the user session expiring.
Longitude
Type
double
Properties
Nillable
Description
The longitude where the user’s IP address is physically located. Due to the nature of geolocation technology, the accuracy of this field can vary.
Policy
Type
picklist
Properties
Nillable, Restricted picklist
Description
The identity verification security policy or setting.
  • CustomApex—Identity verification made by a verification Apex method.
  • DeviceActivation—Identity verification required for users logging in from an unrecognized device or new IP address. This verification is part of Salesforce’s risk-based authentication.
  • EnableLightningLogin— Identity verification required for users enrolling in Lightning Login. This verification is triggered when the user attempts to enroll. Users are eligible to enroll if they have the Lightning Login User user permission and the org has enabled Allow Lightning Login in Session Settings.
  • ExtraVerification—Reserved for future use.
  • HighAssurance—High assurance session required for resource access. This verification is triggered when the user tries to access a resource, such as a connected app, report, or dashboard, that requires a high-assurance session level.
  • LightningLogin—Identity verification required for internal users logging in via Lightning Login. This verification is triggered when the enrolled user attempts to log in. Users are eligible to log in if they have the Lightning Login User user permission and have successfully enrolled in Lightning Login. Also, from Session Settings in Setup, Allow Lightning Login must be enabled.
  • PageAccess—Identity verification required for users attempting to perform an action, such as changing an email address or adding a verification method for multi-factor authentication (MFA).
  • Passwordless Login—Identity verification required for customers attempting to log in to an Experience Cloud site that is set up for passwordless login. The admin controls which registered verification methods can be used, for example, email, SMS, Salesforce Authenticator, or TOTP.
  • ProfilePolicy—Session security level required at login. This verification is triggered by the Session security level required at login setting on the user’s profile.
  • TwoFactorAuthentication—Multi-factor authentication (formerly called two-factor authentication) required at login. This verification is triggered by the Multi-Factor Authentication for User Interface Logins user permission assigned to a custom profile. Or the user permission is included in a permission set that is assigned to a user.
PostalCode
Type
string
Properties
Nillable
Description
The postal code where the user’s IP address is physically located. This value isn’t localized. Due to the nature of geolocation technology, the accuracy of this field can vary.
Remarks
Type
string
Properties
Nillable
Description
The text users see on the page or in Salesforce Authenticator when prompted to verify their identity. For example, if identity verification is required for users to log in, they see “You’re trying to Log In to Salesforce.” In this case, the Remarks value is “Log In to Salesforce.” But if the Activity value is Apex, the Remarks value is a custom description specified in the Apex method. If users are verifying their identity using Salesforce Authenticator, the custom description also appears in the app. If the custom description isn’t specified, the Remarks value is the name of the Apex method. The label is Activity Message.
ResourceId
Type
reference
Properties
Nillable
Description
If the Activity value is ConnectedApp, the ResourceId value is the ID of the connected app. The label is Connected App ID.
SessionKey
Type
string
Properties
Nillable
Description
The user’s unique session ID. Use this value to identify all user events within a session. When a user logs out and logs in again, a new session is started.
SessionLevel
Type
picklist
Properties
Nillable, Restricted picklist
Description
Session-level security controls user access to features that support it, such as connected apps and reporting. Possible values are:
  • HIGH_ASSURANCE—Used for resource access. For example, when the user tries to access a resource such as a connected app, report, or dashboard that requires a high-assurance session level.
  • LOW—Indicates that the user’s security level for the current session meets the lowest requirements. This low level is not available or used in the Salesforce UI. User sessions through the UI are either standard or high assurance. You can set this level using the API, but users assigned this level experience unpredictable and reduced functionality in their Salesforce org.
  • STANDARD—Indicates that the user’s security level for the current session meets the Standard requirements set in the org’s Session Security Levels.
SourceIp
Type
string
Properties
Nillable
Description
The IP address of the machine from which the user attempted the action that requires identity verification. For example, the IP address of the machine from where the user tried to log in or access reports. If it’s a non-login action that required verification, the IP address can be different from the address from where the user logged in. This address can be an IPv4 or IPv6 address.
Status
Type
picklist
Properties
Nillable, Restricted picklist
Description
The status of the identity verification attempt.
  • AutomatedSuccessSalesforce approved the request for access because the request came from a trusted location. After a user enables location services in Salesforce, the user can designate trusted locations. When the user trusts a location for a particular activity, such as logging in from a recognized device, that activity is approved from the trusted location for as long as the location is trusted.
  • DeniedThe user denied the approval request in the authenticator app.
  • FailedGeneralErrorAn error caused by something other than an invalid verification code, too many verification attempts, or authenticator app connectivity.
  • FailedInvalidCodeThe user entered an invalid verification code.
  • FailedInvalidPasswordThe user entered an invalid password.
  • FailedPasswordLockoutThe user attempted to enter a password too many times.
  • FailedTooManyAttemptsThe user attempted to verify identity too many times. For example, the user entered an invalid verification code repeatedly.
  • InProgressSalesforce challenged the user to verify identity and is waiting for either the user to respond or for Salesforce to send an automated response.
  • InitiatedSalesforce initiated identity verification but hasn’t yet challenged the user.
  • ReportedDeniedThe user denied the approval request in the authenticator app, such as Salesforce Authenticator, and also flagged the approval request to report to an administrator.
  • SucceededThe user’s identity was verified.
Subdivision
Type
string
Properties
Nillable
Description
The name of the subdivision where the user’s IP address is physically located. In the United States, this value is usually the state name (for example, Pennsylvania). This value isn’t localized. Due to the nature of geolocation technology, the accuracy of this field can vary.
UserId
Type
reference
Properties
Nillable
Description
ID of the user verifying identity.
Username
Type
string
Properties
Nillable
Description
The username of the user challenged for identity verification in user@company.com format.
VerificationMethod
Type
picklist
Properties
Nillable, Restricted picklist
Description
The method by which the user attempted to verify identity in the verification event.
  • BuiltInAuthenticator—A built-in authenticator set up on the user’s device, such as Touch ID or Windows Hello, generated the required credentials. This value is available in API version 53.0 and later.
  • EmailSalesforce sent an email with a verification code to the address associated with the user’s account.
  • EnableLLSalesforce Authenticator sent a notification to the user’s mobile device to enroll in Lightning Login.
  • LLSalesforce Authenticator sent a notification to the user’s mobile device to approve login via Lightning Login.
  • PasswordSalesforce prompted for a password.
  • SalesforceAuthenticatorSalesforce Authenticator sent a notification to the user’s mobile device to verify account activity.
  • SmsSalesforce sent a text message with a verification code to the user’s mobile device. SMS messaging requires a Salesforce add-on license for Identity Verification Credits.
  • TempCodeA Salesforce admin or a user with the Manage Multi-Factor Authentication in User Interface permission generated a temporary verification code for the user.
  • TotpAn authenticator app generated a time-based, one-time password (TOTP) on the user’s mobile device.
  • U2F—A U2F security key-generated required credentials for the user.
  • WebAuthnRoamingAuthenticator—A WebAuthn security key generated the required credentials for the user.

Standard SOQL Usage

Example

SELECT Username, EventGroup, Activity, Policy, Status, VerificationMethod, City, Country, Latitude, Longitude FROM IdentityVerificationEvent