Newer Version Available
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To modify identity verification settings: | Customize Application |
These identity verification settings are also available on the Session Settings page. You can change the settings in either location. In addition to these settings, you can send async email verifications to ensure that users are registered with a valid email address. See Verify Email Addresses with Async Email
- In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
-
Customize the identity verification settings, and then click
Save.
Field Description Let users verify their identity by text (SMS) Allows users to receive an identity verification code in a text message. Users must verify their phone number before they can receive identity verification codes by text. This setting is enabled by default for all orgs. A verification code is valid for 24 hours. If the code isn’t used during that time, you can generate a new verification code by reinitializing initSelfRegistration. To disable SMS as a method of verification, contact Salesforce support. The email method of identity verification can't be disabled.
Prevent identity verification by email when other methods are registered Allows users to get verification codes by email only if no other identity method has been verified. Other verification methods include Salesforce Authenticator, SMS, time-based one-time password (TOTP), and physical key (U2F). This setting is enabled by default for all orgs. A verification code is valid for 24 hours. If the code isn’t used during that time, you can generate a new verification code by reinitializing initSelfRegistration. Require security tokens for API logins from callouts (API version 31.0 and earlier) Requires the use of security tokens for API logins from callouts in API version 31.0 and earlier. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default. Let users verify their identity with a physical security key (U2F) Permits the use of a U2F security key for multi-factor authentication (MFA) and identity verification. Instead of using Salesforce Authenticator, one-time passwords generated by an authenticator app, or one-time passwords sent by email or SMS, users insert their registered U2F security key into the appropriate port to complete verification. Let users authenticate with a certificate Enables certificate-based authentication to use PEM-encoded X.509 digital certificates to authenticate individual users to your org. Require identity verification during multi-factor authentication (MFA) registration Requires users to confirm their identities before adding an MFA verification method, such as Salesforce Authenticator, instead of requiring a relogin as before. Require identity verification for email changes Requires users to log in again and confirm their identity before their email address change takes effect. Users verify their identity using a registered verification method, such as Salesforce Authenticator, SMS, or email.
Require email confirmations for email address changes (applies to external users in Experience Builder sites) Requires Experience Cloud site users to confirm that they own the new email address. When users change their own email address, they receive an email at both their old and new email addresses with a link. After they click the link, their new email address takes effect. If an admin changes a site user's email address, the site user doesn't receive an email confirmation. Email confirmations are enabled by default for orgs created in Winter ’20 and later. For orgs created before Winter ’20, Salesforce recommends that you enable this option as a security precaution. This option doesn’t apply to employees. Let Salesforce Authenticator automatically verify identities using geolocation Allows Salesforce Authenticator to use the phone's location services to verify a user's identity. If users approve the location, they aren't prompted for their identity when at that location. If the location isn't approved, or if users are outside the trusted location, they're prompted to verify their identity. Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only Allows Salesforce Authenticator to use trusted IP ranges to verify a user’s identity. When users are located within trusted IP address ranges, they aren't prompted to verify their identity. If users are outside the trusted IP address range, they're prompted to verify their identity. Prevent login from mobile user devices with revoked status Prevents a user with a revoked UserDevice from logging in from a Salesforce app. Logins from browsers aren’t affected.