Newer Version Available

This content describes an older version of this product. View Latest

Restrict Where and When Users Can Log In to Salesforce

You can restrict the hours during which users can log in and the range of IP addresses they can log in and access Salesforce from. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the login. These restrictions help protect your data from unauthorized access and phishing attacks.

Two-Factor Authentication for User Interface Logins

For each profile, you can require users to use a second form of authentication when they log in via the user interface. See Set Two-Factor Authentication Login Requirements and Set Two-Factor Authentication Login Requirements for Single Sign-On, Social Sign-On, and Communities.

Two-Factor Authentication for API Logins

For each profile, you can require a verification code (also called a time-based one-time password, or TOTP) instead of the standard security token. Users connect an authenticator app that generates verification codes to their account. Users with the “Two-Factor Authentication for API Logins” permission use a code instead of the standard security token whenever it’s requested, such as when resetting the account’s password. See Set Two-Factor Authentication Login Requirements for API Access.

Login IP Address Ranges

For Enterprise, Performance, Unlimited, Developer, and Database.com editions, you can set the Login IP Range addresses from which users can log in on an individual profile. Users outside of the Login IP Range set on a profile can’t access your Salesforce organization.

For Contact Manager, Group, and Professional Editions, set the Login IP Range. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.

Login IP Address Range Enforcement for All Access Requests

You can restrict all access to Salesforce to the IP addresses included in Login IP Ranges in users’ profiles. For example, suppose a user logs in successfully from an IP address defined in Login IP Ranges. The user then moves to a different location and has a new IP address that is outside of Login IP Ranges. When the user refreshes the browser or tries to access Salesforce, including access from a client application, the user is denied. To enable this option, from Setup, enter Session Settings in the Quick Find box, select Session Settings, and then select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.

Org-wide Trusted IP Ranges

For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge. These users can log in to your org after they provide the additional verification. See Set Trusted IP Ranges for Your Organization.

When users log in to Salesforce via the user interface, the API, or a desktop client such as Salesforce for Outlook, Connect Offline, Connect for Office, or the Data Loader, Salesforce confirms that the login is authorized as follows.
  1. Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied.
  2. If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a second form of authentication upon logging in. If the user’s account isn’t already connected to a mobile authenticator app such as Salesforce Authenticator, Salesforce first prompts the user to connect the app.
  3. If the user has the “Two-Factor Authentication for API Logins” permission and has connected an authenticator app to the account, Salesforce returns an error if the user uses the standard security token. The user has to enter a verification code (time-based one-time password) generated by the authenticator app instead.
  4. Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, logins from an undesignated IP address are denied, and logins from a specified IP address are allowed. If the Enforce login IP ranges on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from client applications.
  5. If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from a device used to access Salesforce before.
    • If the user’s login is from a device and browser that Salesforce recognizes, the login is allowed.
    • If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
    • If the user’s login is not from a trusted IP address or a device and browser Salesforce recognizes, the login is blocked.
Whenever a login is blocked or returns an API login fault, Salesforce has to verify the user’s identity:
  • For access via the user interface, the user is prompted to verify using Salesforce Authenticator (version 2 or later), or to enter a verification code.

    Users aren’t asked for a verification code the first time they log in to Salesforce.

    Note

  • For access via the API or a client, users must add their security token to the end of their password to log in. Or, if “Two-Factor Authentication on API Logins” is set on the user profile, users enter a verification code generated by an authenticator app.

    A security token is an automatically generated key from Salesforce. For example, if a user’s password is mypassword, and the security token is XXXXXXXXXX, the user must enter mypasswordXXXXXXXXXX to log in. Or some client applications have a separate field for the security token.

    Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. When a user changes a password or resets a security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until the user resets the security token, changes a password, or has a password reset.

    Before you access Salesforce from a new IP address, we recommend that you get your security token from a trusted network using Reset My Security Token.

    Tip

Tips on Setting Login Restrictions

Consider the following when setting login restrictions:
  • When a user’s password is changed, the security token is reset. Login via the API or a client can be blocked until the user adds the automatically generated security token to the end of the password.
  • Partner Portal and Customer Portal users aren’t required to activate their browser to log in.
  • For more information on API login faults, see the Core Data Types Used in API Calls topic in the SOAP API Developer's Guide.
  • If single sign-on is enabled for your org, API and desktop client users can log in to Salesforce unless their profile has IP address restrictions set, and they try to log in from outside of the range defined. Furthermore, the single sign-on authority usually handles login lockout policies for users with the “Is Single Sign-On Enabled” permission. However, if the security token is enabled for your org, then your org’s login lockout settings determine how many times users can attempt to log in with an invalid security token before being locked out of Salesforce.
  • These events count toward the number of times users can attempt to log in with an invalid password before being locked out of Salesforce, as defined in your org’s login lockout settings:
    • Each time users are prompted to verify identity
    • Each time users incorrectly add the security token or verification code to the end of their password to log in to Salesforcevia the API or a client