Secure Your Users' Identity
- Describe ways to identify your users in addition to a username and password.
- Set up two-factor authentication.
- Use the Salesforce Authenticator app to verify identity.
- Get login information about users who log in to your org.
Secure Identity with Two-Factor Authentication and Salesforce Authenticator
What Is Two-Factor Authentication?
What are the two factors?
- Something users know, like their password
- Something users have, such as a mobile device with an authenticator app installed
That second factor of authentication provides an extra layer of security for your org.
As an admin, you can require it every time your users log in. Or you can require it only in some circumstances, such as when users log in from an unrecognized device or try to access a high-risk application. After users successfully verify their identity with both authentication factors, they can access Salesforce and start working.
Sound cool? Let’s see how it works.
How Two-Factor Authentication Works
SPOILER ALERT: If you use the redesigned Salesforce Authenticator mobile app (version 2 or later), you can verify your identity without using codes. We’ll get to that exciting development in a bit.
Here’s a video explaining how you can use Salesforce Authenticator to secure your Salesforce org with two-factor authentication.
When Can Users Be Prompted for Two-Factor Authentication?
- Every time they log in to Salesforce, including API logins.
- When they access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
- During a custom login flow or within a custom app, for example, before reading a license agreement. More on this topic later in the trail.
Set Up Two-Factor Authentication for Every Login
To keep things simple, let’s set up two-factor authentication for a new Jedeye Technologies employee, Sia Thripio. In the real world, you can set up two-factor authentication (2FA) for existing users, new users, and by user profile. We start out by setting the proper session security level for 2FA, creating a Salesforce user for Sia, and then setting up 2FA.
Step 1: Set the session security level for two-factor authentication
First, let’s make sure that the right security level is associated with the two-factor authentication login method. It’s important to do this step before you set up a 2FA requirement for any admin users. Otherwise, you could prevent yourself or other admins from logging in.
- From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
- Under Session Security Levels, make sure that two-factor authentication is in the High Assurance category.
Step 2: Create a user
- From Setup, enter Users in the Quick Find box, then select Users.
- Click New User.
- For the first name and last name, enter Sia and Thripio, respectively.
- Enter your email address in the Email field. This setting is to get user notifications for Sia.
- Create a username for Sia and enter it in the Username field. It must be in email address format, but it doesn’t have to be a working email address. Make sure the email address is unique in your Trailhead Playground. We’re going to use Sia's first initial, last name, and current date in the username like this: SThripio.firstname.lastname@example.org.
- Edit or accept the nickname value.
- For User License, select Salesforce Platform.
- For Profile, select Standard Platform User. While you’re here, deselect the options to receive Salesforce CRM content alerts. No need to clutter your inbox with unnecessary email from Salesforce.
- Make sure that Generate new password and notify user immediately is selected—it’s way down at the bottom of the page. Salesforce emails you about Sia’s new user because you entered your email address in the Email field.
- Click Save. Salesforce emails you a link to verify the user and set Sia’s password.
Note: If you get an error that the username exists, create a user with a different name.
- Log in as Sia, and reset the password.
After you set the password, create a permission set that you’ll assign to Sia’s user.
Step 3: Create a permission set for two-factor authentication
A permission set is a collection of settings and permissions that gives users access to various Salesforce features, including two-factor authentication. Typically, you create a permission set for a group of users. But for this example, we set one up just for Sia.
- If you’re logged in as Sia, log out. Log in again as the system administrator of your your Trailhead Playground.
- From Setup, enter Permission in the Quick Find box, then select Permission Sets.
- Click New.
- Label the permission “2fa Auth for User Logins”.
- Click Save.
- Under System, click System Permissions. Now you’re on the detail page for the 2fa Auth for User Logins permission set.
- Click Edit.
- Select Two-Factor Authentication for User Interface Logins.
- Click Save.
You’re almost there! You just need to assign the permission set.
Step 4: Assign the permission set to Sia’s user
If you’re not on the detail page for your new permission set, navigate back there.
- On the detail page of the new permission set, click Manage Assignments.
- Click Add Assignments. On the list of users, select the checkbox next to Sia’s user. (If you wanted, you could assign up to 1,000 users at a time.)
- Click Assign.
Great! You’ve set up two-factor authentication for Sia. When Sia logs in, she’s prompted to provide a second factor of authentication in addition to her username and password.
But what does Sia use as the second factor? She needs to get an app and connect it to her Salesforce user before she can log in.
Connect the Salesforce Authenticator Mobile App to a User
If users don’t download the app right away, it’s not a disaster. They’re prompted to do so when they log in for the first time after you set up the two-factor authentication requirement.
Let’s check out the app with our new employee, Sia Thripio. Get your Android or iOS mobile device and pretend it’s Sia’s phone. You’re going to download the Salesforce Authenticator app and connect it to Sia’s user.
Heads up that you’ll be jumping back and forth between two devices in the following steps. When you’re on your PHONE, you’re working as Sia in the Salesforce Authenticator app. When you’re on your DESKTOP, you’re logged in as Sia in your Trailhead Playground in a web browser.
- PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
- Tap the app icon to open Salesforce Authenticator.
- DESKTOP: If you’re still logged in to your Trailhead Playground as a system administrator, log out.
- DESKTOP: Use Sia’s username and password to log in.
- DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to Sia’s user.
- PHONE: Page through the tour to learn how Salesforce Authenticator works.
- PHONE: Enter Sia’s (your) mobile number to create a backup of her accounts. Then tap the notification when prompted to complete the verification. You can skip creating a passcode for now. (Later on, Sia can create a passcode if she wants to set up a backup to restore her accounts.)
- Tap the arrow to add Sia’s user to Salesforce Authenticator. The app displays a two-word phrase. (Hey, did you get an especially poetic or amusing phrase? Let us know! #Trailhead #AwesomePhrase #SalesforceAuthenticator.)
- DESKTOP: Enter the phrase in the Two-Word Phrase field.
- DESKTOP: Click Connect.
- PHONE: Salesforce Authenticator shows you details about the user you’re connecting: Sia’s username and the name of the service provider—in this case, Salesforce.
- PHONE: Tap Connect.
- PHONE: Tap Approve to finish logging in to Salesforce as Sia.
- DESKTOP: Sia’s in! She can go about her business.
Now, whenever someone logs in to Sia’s user, she gets a notification on her phone. She opens the app and checks the activity details. If everything looks right, she just taps Approve on her phone. If she doesn’t recognize the activity, she taps Deny to block it.
Let's take a closer look at the data Salesforce Authenticator keeps track of.
- The action that Salesforce Authenticator is verifying. Other actions could show up here if you set up even tighter security. For example, you could require authentication when someone tries to access a record or dashboard. This process is called “step up” authentication.
- The user who’s trying to log in.
- The service the user is attempting to access. You can use Salesforce Authenticator with the LastPass password manager and other services that require stronger authentication.
- The device or browser that the login attempt is taking place on.
- Where the phone is located.
Automate the Authentication Process
Let’s try it out.
- DESKTOP: Log out of Sia’s user and then log in as Sia again.
- PHONE: At the prompt, select Always approve from this location.
- DESKTOP: Log out of Sia’s user and log in again. Voila! You’re not prompted for a password. Salesforce Authenticator recognizes that Sia’s logging in to her Salesforce account again using the same device and at the same location. Access granted automatically!
Any time Sia tries to log in from a different location, she can add the location to the Salesforce Authenticator list of trusted locations. To view the list and other account details, Sia selects the information icon which opens the accounts details page.
The account details page lists trusted locations and login activity history. Verified Activities shows how many times Salesforce Authenticator has verified Sia’s login to Salesforce. Automations shows how many times Salesforce Authenticator logged Sia in automatically from a trusted location.
What if Sia no longer trusts a location? Simple. She swipes left. She can clear all trusted locations at once by selecting and then Clear Trusted Locations.
Sometimes the automated verification doesn’t work, like when the data connection drops off. Not a problem. Sia just types in the code that Salesforce Authenticator displays.
Want to restrict users’ automated verifications to trusted IP addresses only, such as your corporate network? Or prevent them entirely? You can. When logged in as an admin, go to your org's Session Settings and change what’s allowed.
What Happens If Sia Loses Her Mobile Phone?
If Sia enabled account backups in her Salesforce Authenticator app, she’s in great shape. All she has to do is reinstall Salesforce Authenticator on her new phone. When she opens the app, she’ll see the option to restore her accounts from her backup. Sia enters the passcode she used when she backed up her accounts, and her accounts reappear on her phone.
What if Sia didn’t back up her accounts? Here’s what you can do to help.
- Log in as an administrator.
- From Setup, enter Users in the Quick Find box, then select Users.
- Click Sia’s name.
- On Sia’s user detail page, click Disconnect next to App Registration: Salesforce Authenticator.
The next time Sia logs in, if she doesn’t have another verification method connected, she’s prompted to connect Salesforce Authenticator again.
Look Who’s Been Logging In to Your Org
- Log in as the system administrator of your your Trailhead Playground.
- From Setup, enter Verification in the Quick Find box, then select Identity Verification History.
Check out the Location column. It defaults to the user’s country, but you can get more detail by creating a custom view.
Congratulations, administrator! You’ve set up 2FA and enabled a user to log in to Salesforce with it. We encourage you to explore other 2FA options for your users, such as U2F security keys that serve as a second factor and don’t require a mobile phone. Let’s learn more about how to get even more control over your login process in the next unit, “Customizing Your Login Process with My Domain.”
- Salesforce Help: Salesforce Authenticator
- Salesforce Help: Requirements for Salesforce Authenticator (Versions 2 and 3)
- Salesforce Help: Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
- Salesforce Help: Verify Your Identity with a One-Time Password Generator App or Device
- Salesforce Help: Create a Login Flow
- Salesforce Help: Monitor Identity Verification History
- Salesforce Help: Back Up Your Connected Accounts in the Salesforce Authenticator Mobile App