Salesforce Security Guide
Summer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Configure When Users Are Prompted to Verify Identity
Require High-Assurance Session Security for Sensitive Operations
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Deploy Third-Party, SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Security Guidelines for Apex and Visualforce Development
Newer Version Available
Configure User Authentication
Choose login settings to ensure that your users are who they say they are.
-
Restrict Where and When Users Can Log In to Salesforce
You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access Salesforce. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the user to log in. These restrictions help protect your data from unauthorized access and phishing attacks. -
Set Password Policies
Improve your Salesforce org security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password. -
Expire Passwords for All Users
As an administrator, you can expire passwords for all users any time you want to enforce extra security for your organization. After expiring passwords, all users are prompted to reset their password the next time they log in. -
Modify Session Security Settings
You can change the session connection type, timeout restrictions, and IP address ranges to protect against malicious attacks and more. -
Configure When Users Are Prompted to Verify Identity
You can control how and when users are prompted to verify their identity. -
Require High-Assurance Session Security for Sensitive Operations
To secure different setup areas in your org, require a high-assurance level of security for sensitive operations, like accessing reports and managing IP addresses. You can also block users from accessing these setup areas. -
Create a Login Flow
A login flow directs users through a login process before they access your Salesforce org or community. You can use a login flow to control the business processes that your users follow when they log in to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they are redirected to their Salesforce org or community. If unsuccessful, the flow can log out users immediately. -
Set Up a Login Flow and Connect to Profiles
After you create a flow using Flow Builder or Visualforce, you designate it as a login flow and then associate it with user profiles. When users with an associated profile log in, they’re directed to the login flow. -
Login Flow Examples
You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common uses cases include collecting and updating user data at login, configuring two-factor authentication, or integrating third-party strong authentication methods. -
Set Up Two-Factor Authentication
Two-factor authentication is the most effective way to protect your org’s user accounts. When two-factor authentication is enabled, users are required to log in with two pieces of information, such as a username and a one-time password (OTP). Admins enable two-factor authentication through permissions or profile settings. Users register for two-factor authentication through their own personal settings. They can use an OTP generator app, such as Salesforce Authenticator or Google Authenticator. Or they can use hardware devices, such as U2F security keys. -
Deploy Third-Party, SMS-Based Two-Factor Authentication
Two-factor authentication (2FA) enhances security when validating a user’s identity and protects access to your Salesforce org. In addition to a password, SMS-based 2FA requires the user to provide a one-time password (OTP) code received on a mobile device. -
Limit the Number of Concurrent Sessions with Login Flows
You can use a login flow to restrict the number of simultaneous Salesforce sessions per user.