Skip to main content
+2,000 points

Session Security Superbadge Unit

Increase session security and limit exposure to your network.

~1 hr

Session Security Superbadge Unit

What You'll Be Doing to Earn This Superbadge

  1. Configure multi-factor authentication (MFA) for all direct logins.
  2. Enforce MFA challenges to access high-risk resources.
  3. Increase session security to address cybersecurity threats.

Concepts Tested in This Superbadge

  • Session Security

Prework and Notes

Sign Up for a Developer Edition Org with Special Configuration

To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.

  1. Sign up for a free Developer Edition org with special configuration.

  2. Fill out the form. For Email address, enter an active email address.

  3. After you fill out the form, click Sign me up.
  4. When you receive the activation email (this might take a few minutes), open it and click Verify Account.

  5. Complete your registration by setting your password and challenge question. Tip: Write down your username, password, and login URL for easy access later.

  6. You are logged in to your superbadge Developer Edition org.

Now, connect your new Developer Edition org to Trailhead.

  1. Make sure you’re logged in to your Trailhead account.

  2. In the Challenge section at the bottom of this page, select Connect Org from the picklist.

  3. On the login screen, enter the username and password for the Developer Edition org you just set up.

  4. On the Allow Access? page, click Allow.

  5. On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge.

  6. Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.


  • Complete all steps in this superbadge in Salesforce Lightning Experience.

  • Some of the terminology used in this superbadge is descriptive and may not match the name as it appears in the user interface (UI). This is to test your knowledge of Salesforce features and ability to select the correct feature to satisfy a business need.



Before you begin the challenges, review Application Security Specialist Superbadge: Trailhead Challenge Help.

Make sure you’re using a new Developer Edition org from this sign-up link to complete the challenges in this superbadge unit. If you use an org that has been used for other work, you won’t pass the challenges in this superbadge unit.

This superbadge unit is part of the Application Security Specialist Superbadge. Complete the capstone assessment and related superbadge units to receive the Application Security Specialist Superbadge.

Review Superbadge Challenge Help for information about the Salesforce Certification Program and Superbadge Code of Conduct.

Use Case

Hundreds & Thousands is a growing sprinkle confectionery company with massive demand for its sweet treats. And the company's success has not gone unnoticed. The sprinkle market is massively competitive and the landscape is positively dotted with security threats.

The information security (InfoSec) team at Hundreds & Thousands has just completed a comprehensive security evaluation. As an admin on the Salesforce team, you have been tasked with translating the InfoSec team’s requirements into security solutions in your org.

Buckle up, cupcake, and get ready to sprinkle some added security on your org.

Business Requirements

This section represents the sections of the InfoSec team’s report that apply to the Hundreds & Thousands Salesforce implementation.

Multi-Factor Authentication Session Requirements


Important: You must connect the Salesforce Authenticator app to your admin user before you complete the challenges below. If you skip this step, you may lock yourself out of your org or block yourself from making certain updates within the org.

Ah, multi-factor authentication (MFA). Thanks to your pals at Salesforce, you’re well aware that MFA is contractually required for all users as of February 1, 2022. The Hundreds & Thousands Salesforce team successfully rolled out MFA to all users well before the deadline. Most users are required to log in via a third-party single sign-on (SSO) provider that issues an MFA challenge. The few users who are permitted to log in to the org directly are assigned the MFA Authorization Required permission set.

While the current org configurations meet the MFA requirements, the permission sets are assigned manually and some new users have not been configured correctly. Could you build some fancy flow that automatically provisions the right permissions to the right users? You sure could! But you know there’s an easier way to make sure MFA is required for all direct logins, regardless of the profile or permission sets assigned to the user. Go ahead and do that; future Hundreds & Thousands admins will thank you.

Speaking of MFA, the InfoSec team has requested that an additional MFA challenge be required for certain actions users take within the Salesforce org. Make the appropriate configurations that will require a user to complete an MFA challenge before performing any of the tasks listed below.

Export Data

  • Export or print reports/dashboards
  • Export service to back up org data

User Access Management

  • Configure permission sets
  • Configure profiles
  • Configure password policies
  • Configure roles
  • Configure sharing settings
  • Configure users

Other Privileged Access

  • Create or edit connected apps

Additional Session Security Requirements

Now that you’ve assured the InfoSec team that the sensitive org operations outlined in their report now have an additional MFA requirement, you can move on to the remaining security specifications. Review the information provided below to determine the appropriate course of action.

Security Concern Details Action
Session Takeovers In a physical or cyberattack, a threat actor takes over a legitimate, active session. Reduce the allowed period of user inactivity to 1 hour.
Floating Sessions When an admin impersonates another user, the active sessions can be left "floating" and therefore vulnerable to attack. Permit admins to log in as other users for troubleshooting purposes, but make them log in again to their admin user afterward.
Session Cookies An attacker could use a session cookie to impersonate a user. Restrict session ID cookie access so that it's not accessible through non-HTTP methods.
Stolen Devices* Login IP ranges are restricted to the corporate virtual private network (VPN). However, a device that is stolen during an active session would maintain access even if the VPN is disconnected. Make sure login IP ranges are enforced on every page request, not just during initial login.
Username Reuse Users may use the same username across multiple services and applications, which makes it easier for attackers to gain access. Prevent the user's browser from storing and automatically populating their Salesforce username.

*Important: Don’t enable the setting that locks sessions to the IP address from which they originated. This may block Trailhead from checking the solutions in your org. Also, you don’t need to adjust or create any new login IP ranges to complete this challenge.

Ready to Tackle This Superbadge?

Please first complete the prerequisites and the challenge for Session Security Superbadge Unit will be unlocked.

~1 hr