Start tracking your progress
Trailhead Home
Trailhead Home

Secure Your Users' Identity

Learning Objectives

After completing this module, you’ll be able to:
  • Describe ways to identify your users in addition to a username and password.
  • Set up two-factor authentication.
  • Use the Salesforce Authenticator app to verify identity.
  • Get login information about users who log in to your org.

Secure Identity with Two-Factor Authentication and Salesforce Authenticator

As an admin, you probably walk a fine line between making sure that your Salesforce org is secure and that your users can log in quickly and easily. The most effective way to protect your org and its data is to require that users provide more than just their username and password. Security experts call this two-factor authentication, or 2FA for short.


To complete the tasks in this unit, you need a mobile device running either Android or iOS.

What Is Two-Factor Authentication?

Sounds like a mathematical equation, right? Whether math thrills you or fills you with dread, just know that 2FA has nothing to do with high school algebra. But it has everything to do with making sure that your users are who they say they are.

What are the two factors?

  • Something users know, like their password
  • Something users have, such as a mobile device with an authenticator app installed
2FA Something you know and something you have

That second factor of authentication provides an extra layer of security for your org.

As an admin, you can require it every time your users log in. Or you can require it only in some circumstances, such as when users log in from an unrecognized device or try to access a high-risk application. After users successfully verify their identity with both authentication factors, they can access Salesforce and start working.

Sound cool? Let’s see how it works.

How Two-Factor Authentication Works

You might not have known what it’s called, but you’ve probably already used two-factor authentication. Every time you get cash from the ATM, you use something you have (your bank card) plus something you know (your PIN). And maybe you already have an authenticator app on your phone. For instance, you enter a verification code that you get from the app when you log in to some of your online accounts. This unique code is sometimes called a time-based one-time password (or TOTP for short) because it expires after a set amount of time. Several vendors, including Salesforce and Google, provide apps that generate these time-sensitive codes.

SPOILER ALERT: If you use the redesigned Salesforce Authenticator mobile app (version 2 or later), you can verify your identity without using codes. We’ll get to that exciting development in a bit.

Here’s a video explaining how you can use Salesforce Authenticator to secure your Salesforce org with two-factor authentication.

When Can Users Be Prompted for Two-Factor Authentication?

Users can be prompted for two-factor authentication in various circumstances.
  • Every time they log in to Salesforce, including API logins.
  • When they access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
  • During a custom login flow or within a custom app, for example, before reading a license agreement. More on this topic later in the trail.

Set Up Two-Factor Authentication for Every Login

Now that you know the basics of two-factor authentication, let’s see how easy it is to set up.

Suppose you’re a Salesforce admin for Jedeye Technologies, a company not located in a galaxy far, far away. Your chief security officer has handed you a mission: Make all employees supply more than their username and password every time they try to access the company’s Salesforce org.

To keep things simple, let’s set up two-factor authentication for a new Jedeye Technologies employee, Sia Thripio. In the real world, you can set up two-factor authentication (2FA) for existing users, new users, and by user profile. We start out by setting the proper session security level for 2FA, creating a Salesforce user for Sia, and then setting up 2FA.

Step 1: Set the session security level for two-factor authentication

First, let’s make sure that the right security level is associated with the two-factor authentication login method. It’s important to do this step before you set up a 2FA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.

  1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  2. Under Session Security Levels, make sure that two-factor authentication is in the High Assurance category.

Step 2: Create a user

  1. From Setup, enter Users in the Quick Find box, then select Users.
  2. Click New User.
  3. For the first name and last name, enter Sia and Thripio, respectively.
  4. Enter your email address in the Email field. This setting is to get user notifications for Sia.
  5. Create a username for Sia and enter it in the Username field. It must be in email address format, but it doesn’t have to be a working email address. Make sure the email address is unique in your Trailhead Playground. We’re going to use Sia's first initial, last name, and current date in the username like this:
  6. Edit or accept the nickname value.
  7. For User License, select Salesforce Platform.
  8. For Profile, select Standard Platform User. While you’re here, deselect the options to receive Salesforce CRM content alerts. No need to clutter your inbox with unnecessary email from Salesforce.
  9. Make sure that Generate new password and notify user immediately is selected—it’s way down at the bottom of the page. Salesforce emails you about Sia’s new user because you entered your email address in the Email field.
  10. Click Save. Salesforce emails you a link to verify the user and set Sia’s password.
    Note: If you get an error that the username exists, create a user with a different name.
  11. Log in as Sia, and reset the password.

After you set the password, create a permission set that you’ll assign to Sia’s user.

Step 3: Create a permission set for two-factor authentication

A permission set is a collection of settings and permissions that gives users access to various Salesforce features, including two-factor authentication. Typically, you create a permission set for a group of users. But for this example, we set one up just for Sia.

  1. If you’re logged in as Sia, log out. Log in again as the system administrator of your your Trailhead Playground.
  2. From Setup, enter Permission in the Quick Find box, then select Permission Sets.
  3. Click New.
  4. Label the permission “2fa Auth for User Logins”.
  5. Click Save.
  6. Under System, click System Permissions. Now you’re on the detail page for the 2fa Auth for User Logins permission set.
  7. Click Edit.
  8. Select Two-Factor Authentication for User Interface Logins.
    Two-Factor Authentication for User Interface Logins permission selected
  9. Click Save.

System Permissions You’re almost there! You just need to assign the permission set.

Step 4: Assign the permission set to Sia’s user

If you’re not on the detail page for your new permission set, navigate back there.

  1. On the detail page of the new permission set, click Manage Assignments.
  2. Click Add Assignments. On the list of users, select the checkbox next to Sia’s user. (If you wanted, you could assign up to 1,000 users at a time.)
  3. Click Assign.

Great! You’ve set up two-factor authentication for Sia. When Sia logs in, she’s prompted to provide a second factor of authentication in addition to her username and password.

But what does Sia use as the second factor? She needs to get an app and connect it to her Salesforce user before she can log in.

Connect the Salesforce Authenticator Mobile App to a User

Like making an unannounced visit to a city in the clouds, it’s a bad idea to require two-factor authentication without helping your users get a second factor. You probably won’t get frozen and taken prisoner, but you might get lots of calls when you least want them, like when you’re watching an epic motion picture. Fortunately, Salesforce makes it easy for you to help your users. Just have them download the free Salesforce Authenticator app onto their mobile device and connect it to their Salesforce user.

If users don’t download the app right away, it’s not a disaster. They’re prompted to do so when they log in for the first time after you set up the two-factor authentication requirement.

Let’s check out the app with our new employee, Sia Thripio. Get your Android or iOS mobile device and pretend it’s Sia’s phone. You’re going to download the Salesforce Authenticator app and connect it to Sia’s user.

Heads up that you’ll be jumping back and forth between two devices in the following steps. When you’re on your PHONE, you’re working as Sia in the Salesforce Authenticator app. When you’re on your DESKTOP, you’re logged in as Sia in your Trailhead Playground in a web browser.

  1. PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
  2. Tap the app icon to open Salesforce Authenticator.
  3. DESKTOP: If you’re still logged in to your Trailhead Playground as a system administrator, log out.
  4. DESKTOP: Use Sia’s username and password to log in. Salesforce desktop login screen
  5. DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to Sia’s user.
  6. PHONE: Page through the tour to learn how Salesforce Authenticator works.
  7. PHONE: Enter Sia’s (your) mobile number to create a backup of her accounts. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now. (Later on, Sia can create a passcode if she wants to set up a backup to restore her accounts.)
  8. Tap the arrow to add Sia’s user to Salesforce Authenticator. The app displays a two-word phrase. (Hey, did you get an especially poetic or amusing phrase? Let us know! #Trailhead #AwesomePhrase #SalesforceAuthenticator.)
  9. DESKTOP: Enter the phrase in the Two-Word Phrase field. Salesforce Authenticator two-word phrase
  10. DESKTOP: Click Connect.
  11. PHONE: Salesforce Authenticator shows you details about the user you’re connecting: Sia’s username and the name of the service provider—in this case, Salesforce. Salesforce Authenticator connect account
  12. PHONE: Tap Connect.
  13. PHONE: Tap Approve to finish logging in to Salesforce as Sia.
  14. DESKTOP: Sia’s in! She can go about her business.

Now, whenever someone logs in to Sia’s user, she gets a notification on her phone. She opens the app and checks the activity details. If everything looks right, she just taps Approve on her phone. If she doesn’t recognize the activity, she taps Deny to block it.

Let's take a closer look at the data Salesforce Authenticator keeps track of.

  1. The action that Salesforce Authenticator is verifying. Other actions could show up here if you set up even tighter security. For example, you could require authentication when someone tries to access a record or dashboard. This process is called “step up” authentication.
  2. The user who’s trying to log in.
  3. The service the user is attempting to access. You can use Salesforce Authenticator with the LastPass password manager and other services that require stronger authentication.
  4. The device or browser that the login attempt is taking place on.
  5. Where the phone is located.

Salesforce Authenticator datapoints

Automate the Authentication Process

Suppose Sia logs in from the same place (the office, her home, or her favorite, dimly lit cafe) regularly. Tapping Approve could get old after a while. If she lets Salesforce Authenticator use her phone’s location services, she can tell the app to verify her activities automatically when she’s in a particular spot. In other words, if everything is normal, she doesn’t even have to pull her phone out of her pocket. She’s completed two-factor authentication invisibly.

Let’s try it out.

  1. DESKTOP: Log out of Sia’s user and then log in as Sia again.
  2. PHONE: At the prompt, select  Always approve from this location.
  3. DESKTOP: Log out of Sia’s user and log in again. Voila! You’re not prompted for a password. Salesforce Authenticator recognizes that Sia’s logging in to her Salesforce account again using the same device and at the same location. Access granted automatically!

Any time Sia tries to log in from a different location, she can add the location to the Salesforce Authenticator list of trusted locations. To view the list and other account details, Sia selects the information icon which opens the accounts details page.

Salseforce Authenticator account information

The account details page lists trusted locations and login activity history. Verified Activities shows how many times Salesforce Authenticator has verified Sia’s login to Salesforce. Automations shows how many times Salesforce Authenticator logged Sia in automatically from a trusted location.

Salesforce Authenticator account details

What if Sia no longer trusts a location? Simple. She swipes left. She can clear all trusted locations at once by selecting Salesforce Authenticator settings icon and then Clear Trusted Locations.

Sometimes the automated verification doesn’t work, like when the data connection drops off. Not a problem. Sia just types in the code that Salesforce Authenticator displays.

Want to restrict users’ automated verifications to trusted IP addresses only, such as your corporate network? Or prevent them entirely? You can. When logged in as an admin, go to your org's Session Settings and change what’s allowed.

Session Settings that control location-based automated verifications

What Happens If Sia Loses Her Mobile Phone?

Good question. As you know, users crash or get marooned on desert planets and lose their phones. Happens all the time. If Sia loses her phone, gets a new one, or accidentally deletes Salesforce Authenticator, she has a few options. Sia can either restore her accounts from the backup she made earlier, or you can reset two-factor authentication for her.

If Sia enabled account backups in her Salesforce Authenticator app, she’s in great shape. All she has to do is reinstall Salesforce Authenticator on her new phone. When she opens the app, she’ll see the option to restore her accounts from her backup. Sia enters the passcode she used when she backed up her accounts, and her accounts reappear on her phone.

What if Sia didn’t back up her accounts? Here’s what you can do to help.

  1. Log in as an administrator.
  2. From Setup, enter Users in the Quick Find box, then select Users.
  3. Click Sia’s name.
  4. On Sia’s user detail page, click Disconnect next to App Registration: Salesforce Authenticator.

The next time Sia logs in, if she doesn’t have another verification method connected, she’s prompted to connect Salesforce Authenticator again.



If you want to uninstall the Authenticator app, remove the 2FA permission set from Sia's user details first. Otherwise, you can't log in as Sia in future units.

Look Who’s Been Logging In to Your Org

An important part of an admin’s job is to know who’s logging in to your org. That’s what Identity Verification History is for.
  1. Log in as the system administrator of your your Trailhead Playground.
  2. From Setup, enter Verification in the Quick Find box, then select Identity Verification History.

Check out the Location column. It defaults to the user’s country, but you can get more detail by creating a custom view.

Identity verification history

Congratulations, administrator! You’ve set up 2FA and enabled a user to log in to Salesforce with it. We encourage you to explore other 2FA options for your users, such as U2F security keys that serve as a second factor and don’t require a mobile phone. Let’s learn more about how to get even more control over your login process in the next unit, “Customizing Your Login Process with My Domain.”