Newer Version Available

This content describes an older version of this product. View Latest

Salesforce Two-Factor Authentication

Salesforce admins can enhance security by requiring a second level of authentication on every login, called “two-factor authentication” (2FA). You can also require two-factor authentication when a user meets certain criteria, such as attempting to view reports or logging in from an unrecognized IP address.
Available in: Both Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Basic Identity Confirmation

When a user logs in, Salesforce considers the user’s geographic location and browser. If they’re not recognized, Salesforce prompts the user to verify their identity using the highest-priority verification method available for that user. The following is the order of priority for verification methods.
  1. Verification code generated by a mobile authenticator app connected to the user’s account
  2. Verification code sent via SMS to the user’s verified mobile device
  3. Verification code sent via email to the user’s email address
The user enters the code as a secondary verification of their identity. After verification, the user doesn’t need to provide this information again, unless they log in from a browser or location that isn’t verified by Salesforce.

How Two-Factor Authentication Works

For stronger identity verification, you can require a second level of authentication on every login, or every login through the API (for developers and client applications), or for access to specific features. Two-factor authentication leverages an authentication service, such as the Salesforce Authenticator app, the Google Authenticator app, or another supported authentication service. The service provides a code, called the “time-based one-time password” (TOTP) or “time-based token,” which users specify (in addition to their password) when they log in.

Admins enable two-factor authentication through permissions. Users add the authenticator service’s one-time password generator app or device through their own personal settings.

Configuring Two-Factor Authentication

Salesforce admins customize the circumstances that prompt users for a second factor of authentication in the following ways.

Users have to connect an authenticator app, which generates the verification code, to their Salesforce accounts. For more information, see Connect a One-Time Password Generator App or Device.