Newer Version Available
Setting Login Restrictions
| Available in: All Editions |
To help protect your organization’s data against unauthorized access, you have several options for setting login and access restrictions.
- Login Hours
- For each profile, you can set the hours when users can log in. See:
- Two-Factor Authentication for User Interface Logins
- For each profile, you can require users to enter a time-based token as a second form of authentication when they log in via the user interface. See Set Two-Factor Authentication Login Requirements.
- Two-Factor Authentication for API Logins
- For each profile, you can allow the use of a time-based token to access the service instead of the standard security token. If users add a time-based token to their account and this permission is enabled, they must use this token instead of the standard security token whenever it’s requested, such as when resetting the account’s password. See Use Two-Factor Authentication for API Access.
- Login IP Address Ranges
- For Enterprise, Performance, Unlimited, Developer, and Database.com editions, you can set the Login
IP Range addresses from which users can log in on an individual profile. Users outside of
the Login IP Range set on a profile can’t access your Salesforce organization. See:
- Restricting Login IP Ranges in the Enhanced Profile User Interface
- Restrict Login IP Addresses in the Original Profile User Interface
For Contact Manager, Group, and Professional Editions, set the Login IP Range in Setup, .
- Login IP Address Range Enforcement for All Access Requests
- You can restrict all access to Salesforce to the IP addresses included in Login IP Ranges in users’ profiles. For example, suppose a user logs in successfully from an IP address defined in Login IP Ranges. The user then moves to a different location and has a new IP address that is outside of Login IP Ranges. When the user refreshes the browser or tries to access Salesforce, including access from a client application, the user is denied. To enable this option, in Setup, click and select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.
- Organization-Wide Trusted IP Ranges
- For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge. These users can log in to your organization once they provide the additional verification. See Set Trusted IP Ranges for Your Organization.
- Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied.
- If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a time-based token (which the user may also be prompted to create if it hasn’t already been added to the account) upon logging in.
- If the user has the “Two-Factor Authentication for API Logins” permission and a time-based token has been added to the account, Salesforce returns an error if a time-based token is not used to access the service in place of the standard security token.
- Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed. If the Enforce login IP ranges on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from client applications.
- If profile-based IP address restrictions are not set, Salesforce checks whether
the user is logging in from an IP address they have not used to access Salesforce before:
- If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. If the user previously used the browser to log in to Salesforce and has not cleared the browser cookies, the browser has the Salesforce cookie.
- If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
- If the user’s login is not from a trusted IP address or a browser with a Salesforce cookie, the login is blocked.
- For access via the user interface, the user is prompted to enter a token (also called a verification code) to confirm the user’s identity.
- For access via the API or a client, users must
add their security token (or time-based token if Two-Factor Authentication on API Logins
is set on the user profile and the users have added a time-based token to their account)
to the end of their password to log in.
A security token is an automatically generated key from Salesforce. For example, if a user’s password is mypassword, and the security token is XXXXXXXXXX, the user must enter mypasswordXXXXXXXXXX to log in. Or, some client applications have a separate field for the security token.
Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. When a user changes their password or resets their security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until a user resets their security token, changes their password, or has their password reset.
Tips on Setting Login Restrictions
- When a user’s password is changed, the security token is reset. A blocked login can occur until the user adds the automatically generated security token to the end of the password when logging in to Salesforce via the API or a client.
- Partner Portal and Customer Portal users aren’t required to activate computers to log in.
- For more information on API login faults, see the Core Data Types Used in API Calls topic in the SOAP API Developer's Guide.
- If single sign-on is enabled for your organization, API and desktop client users can log in to Salesforce unless their profile has IP address restrictions set, and they try to log in from outside of the range defined for that profile. Furthermore, the single sign-on authority usually handles login lockout policies for users with the “Is Single Sign-On Enabled” permission. However, if the security token is enabled for your organization, then your organization’s login lockout settings determine the number of times a user can attempt to log in with an invalid security token before being locked out of Salesforce.
- These events count toward the number of times a user can attempt
to log in with an invalid password before being locked out of Salesforce, as defined
in your organization’s login lockout settings:
- Each time users are prompted to confirm their identity (when a user clicks Email me a verification code, for example)
- Each time users incorrectly add the security token or time-based token to the end of their password to log in to the API or a client