Newer Version Available
Salesforce Two-Factor Authentication
| Available in: Both Salesforce Classic and Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
Basic Identity Confirmation
- Verification code generated by a mobile authenticator app connected to the user’s account
- Verification code sent via SMS to the user’s verified mobile device
- Verification code sent via email to the user’s email address
How Two-Factor Authentication Works
For stronger identity verification, you can require a second level of authentication on every login, or every login through the API (for developers and client applications), or for access to specific features. Two-factor authentication leverages an authentication service, such as the Salesforce Authenticator app, the Google Authenticator app, or another supported authentication service. The service provides a code, called the “time-based one-time password” (TOTP) or “time-based token,” which users specify (in addition to their password) when they log in.
Admins enable two-factor authentication through permissions. Users add the authenticator service’s one-time password generator app or device through their own personal settings.
Configuring Two-Factor Authentication
- Require it for every login. Set the two-factor login requirement for every time
the user logs in to Salesforce.
You can also enable this feature for API logins, which includes the use of client
applications like the Data Loader. For more information, see Set Two-Factor Authentication Login Requirements or Set Two-Factor Authentication Requirements for API Access.
Walk Through It: Secure Logins with a Unique Code (Two-Factor Authentication)
- Use “stepped up” authentication (also known as “high assurance” authentication). Sometimes you don’t need two-factor authentication for every user’s login, but you want to secure certain resources. If the user tries to use a connected app or access reports, then Salesforce prompts the user to enter a verification code. For more information, see Session Security Levels.
- Use login flows. Login flows leverage the Flow Designer and profiles so you can build post-authentication requirements as the user logs in, including custom two-factor authentication processes. For more information, see the following examples.
Users have to connect an authenticator app, which generates the verification code, to their Salesforce accounts. For more information, see Connect a One-Time Password Generator App or Device.