Secure Your Users' Identity
- Describe ways to identify your users in addition to a username and password.
- Set up two-factor authentication.
- Use the Salesforce Authenticator app to verify identity.
- Get login information about users who log in to your org.
What are the two factors?
- Something users know, like their password
- Something users have, such as a mobile device with an authenticator app installed
That second factor of authentication provides an extra layer of security for your org.
As an admin, you can require it every time your users log in. Or you can require it only in some circumstances, such as when users log in from an unrecognized device or try to access a high-risk application. After users successfully verify their identity with both authentication factors, they can access Salesforce and start working.
Sound cool? Let’s see how it works.
SPOILER ALERT: If you use the redesigned Salesforce Authenticator mobile app (version 2 or later), you can verify your identity without using codes. We’ll get to that exciting development in a bit.
Here’s a video explaining how you can use Salesforce Authenticator to secure your Salesforce org with two-factor authentication.
- Every time they log in to Salesforce, including API logins.
- When they access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
- During a custom login flow or within a custom app, for example, before reading a license agreement. More on this topic later in the trail.
Suppose you’re a Salesforce admin for Jedeye Technologies, a company not located in a galaxy far, far away. Your chief security officer has handed you a mission: Make all employees supply more than their username and password every time they try to access the company’s Salesforce org.
To keep things simple, let’s set up two-factor authentication for a new Jedeye Technologies employee, Sia Thripio. In the real world, you can set up two-factor authentication (2FA) for existing users, new users, and by user profile. We start out by setting the proper session security level for 2FA, creating a Salesforce account for Sia, and then setting up 2FA.
Step 1: Set the session security level for two-factor authentication
First, let’s make sure that the right security level is associated with the two-factor authentication login method. It’s important to do this step before you set up a 2FA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.
- From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
- Under Session Security Levels, make sure that two-factor authentication is in the High Assurance category.
Step 2: Create an employee account
- From Setup, enter Users in the Quick Find box, then select Users.
- Click New User.
- For the first name and last name, enter Sia and Thripio, respectively.
- Enter your email address in the Email field. This setting is to get account notifications for Sia.
- Create a username for Sia and enter it in the Username field. It must be in email address format, but doesn’t have to be a working email address. We’re going to use email@example.com.
- Edit or accept the nickname value.
- For User License, select Salesforce Platform.
- For Profile, select Standard Platform User. While you’re here, deselect the options to receive Salesforce CRM content alerts. No need to clutter your inbox with unnecessary email from Salesforce.
- Make sure that Generate new password and notify user immediately is selected—it’s way down at the bottom of the page. Salesforce emails you about Sia’s new account because you entered your email address in the Email field.
- Click Save. Salesforce emails you a link to verify the account and set Sia’s password.
- Log in as Sia, and reset the password.
After you set the password, create a permission set that you’ll assign to Sia’s user account.
Step 3: Create a permission set for two-factor authentication
A permission set is a collection of settings and permissions that gives users access to various Salesforce features, including two-factor authentication. Typically, you create a permission set for a group of users. But for this example, we set one up just for Sia.
- If you’re logged in as Sia, log out. Log in again as the system administrator of your DE org.
- From Setup, enter Permission in the Quick Find box, then select Permission Sets.
- Click New.
- Label the permission “2fa Auth for User Logins”.
- Click Save.
- Under System, click System Permissions. Now you’re on the detail page for the 2fa Auth for User Logins permission set.
- Click Edit.
- Select Two-Factor Authentication for User Interface Logins.
- Click Save.
You’re almost there! You just need to assign the permission set.
Step 4: Assign the permission set to Sia’s account
If you’re not on the detail page for your new permission set, navigate back there.
- On the detail page of the new permission set, click Manage Assignments.
- Click Add Assignments. On the list of users, select the checkbox next to Sia’s account. (If you wanted, you could assign up to 1,000 users at a time.)
- Click Assign.
Great! You’ve set up two-factor authentication for Sia. When Sia logs in, she’s prompted to provide a second factor of authentication in addition to her username and password.
But what does Sia use as the second factor? She needs to get an app and connect it to her Salesforce user account before she can log in.
If users don’t download the app right away, it’s not a disaster. They’re prompted to do so when they log in for the first time after you set up the two-factor authentication requirement.
Let’s check out the app with our new employee, Sia Thripio. Get your Android or iOS mobile device and pretend it’s Sia’s phone. You’re going to download the Salesforce Authenticator app and connect it to Sia’s account.
Heads up that you’ll be jumping back and forth between two devices in the following steps. When you’re on your PHONE, you’re working as Sia in the Salesforce Authenticator app. When you’re on your DESKTOP, you’re logged in as Sia in your Salesforce DE org in a web browser.
- PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
- Tap the app icon to open Salesforce Authenticator.
- DESKTOP: If you’re still logged in to your DE org as a system administrator, log out.
- DESKTOP: Use Sia’s username and password to log in.
- DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to Sia’s account.
- PHONE: Page through the tour to learn how Salesforce Authenticator works.
- PHONE: Enter Sia’s (your) mobile number to create a backup of her accounts. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now. (Later on, Sia can create a passcode if she wants to set up a backup to restore her accounts.)
- Tap the arrow to add Sia’s account to Salesforce Authenticator. The app displays a two-word phrase. (Hey, did you get an especially poetic or amusing phrase? Let us know! #Trailhead #AwesomePhrase #SalesforceAuthenticator.)
- DESKTOP: Enter the phrase in the Two-Word Phrase field.
- DESKTOP: Click Connect.
- PHONE: Salesforce Authenticator shows you details about the account
you’re connecting: Sia’s username and the name of the service
provider—in this case, Salesforce.
- PHONE: Tap Connect.
- PHONE: Tap Approve to finish logging in to Salesforce as Sia.
- DESKTOP: Sia’s in! She can go about her business.
Now, whenever someone logs in to Sia’s account, she gets a notification on her phone. She opens the app and checks the activity details. If everything looks right, she just taps Approve on her phone. If she doesn’t recognize the activity, she taps Deny to block it.
Let's take a closer look at the data Salesforce Authenticator keeps track of.
- The action that Salesforce Authenticator is verifying. Other actions could show up here if you set up even tighter security. For example, you could require authentication when someone tries to access a record or dashboard. This process is called “step up” authentication.
- The user who’s trying to log in.
- The service the user is attempting to access. You can use Salesforce Authenticator with the LastPass password manager and other services that require stronger authentication.
- The device or browser that the login attempt is taking place on.
- Where the phone is located.
Automate the Authentication Process
Let’s try it out.
- DESKTOP: Log out of Sia’s account and then log in as Sia again.
- PHONE: At the prompt, select Always approve from this location.
- DESKTOP: Log out of Sia’s account and log in again. Voila! You’re not prompted for a password. Salesforce Authenticator recognizes that Sia’s logging in to her Salesforce account again using the same device and at the same location. Access granted automatically!
Any time Sia tries to log in from a different location, she can add the location to the Salesforce Authenticator list of trusted locations. To view the list and other account details, Sia selects the information icon which opens the accounts details page.
The account details page lists trusted locations and login activity history. Verified Activities shows how many times Salesforce Authenticator has verified Sia’s login to Salesforce. Automations shows how many times Salesforce Authenticator logged Sia in automatically from a trusted location.
What if Sia no longer trusts a location? Simple. She swipes left. She can clear all trusted locations at once by selecting and then Clear Trusted Locations.
Sometimes the automated verification doesn’t work, like when the data connection drops off. Not a problem. Sia just types in the code that Salesforce Authenticator displays.
Want to restrict users’ automated verifications to trusted IP addresses only, such as your corporate network? Or prevent them entirely? You can. When logged in as an admin, go to your org's Session Settings and change what’s allowed.
If Sia enabled account backups in her Salesforce Authenticator app, she’s in great shape. All she has to do is reinstall Salesforce Authenticator on her new phone. When she opens the app, she’ll see the option to restore her accounts from her backup. Sia enters the passcode she used when she backed up her accounts, and her accounts reappear on her phone.
What if Sia didn’t back up her accounts? Here’s what you can do to help.
- Log in as an administrator.
- From Setup, enter Users in the Quick Find box, then select Users.
- Click Sia’s name.
- On Sia’s user detail page, click Disconnect next to App Registration: Salesforce Authenticator.
The next time Sia logs in, if she doesn’t have another verification method connected, she’s prompted to connect Salesforce Authenticator again.
- Log in as the system administrator of your DE org.
- From Setup, enter Verification in the Quick Find box, then select Identity Verification History.
Check out the Location column. It defaults to the user’s country, but you can get more detail by creating a custom view.
Congratulations, administrator! You’ve set up 2FA and enabled a user to log in to Salesforce with it. We encourage you to explore other 2FA options for your users, such as U2F security keys that serve as a second factor and don’t require a mobile phone. Let’s learn more about how to get even more control over your login process in the next unit, “Customizing Your Login Process with My Domain.”
- Salesforce Authenticator
- Requirements for Salesforce Authenticator (Versions 2 and 3)
- Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
- Verify Your Identity with a One-Time Password Generator App or Device
- Create a Login Flow
- Monitor Identity Verification History
- Back Up Your Connected Accounts in the Salesforce Authenticator Mobile App