Salesforce Security Guide
Summer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Require High-Assurance Session Security for Sensitive Operations
Set Up a Login Flow and Connect to Profiles
Login Flow Examples
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Connected Apps
Security Guidelines for Apex and Visualforce Development
API End-of-Life
Newer Version Available
Configure User Authentication
Choose login settings to ensure that your users are who they say they are.
-
Restrict Where and When Users Can Log In to Salesforce
You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access Salesforce. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the user to log in. These restrictions help protect your data from unauthorized access and phishing attacks. -
Set Password Policies
Improve your Salesforce org’s security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password. -
Expire Passwords for All Users
As an admin, you can expire passwords for all users anytime you want to enforce extra security for your Salesforce org. After expiring passwords, all users are prompted to reset their password the next time they log in. -
Modify Session Security Settings
Use the Session Settings screen to configure session security. You can configure settings such as the session connection type, timeout restrictions, and IP address ranges to protect against malicious attacks. -
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Define how and when users are prompted to verify their identity for an entire org or Experience Cloud site. For example, determine whether users can verify their identity through email, text messages, or certificates. -
Require High-Assurance Session Security for Sensitive Operations
To secure different setup areas in your org, require a high-assurance level of security for sensitive operations, such as accessing reports and managing IP addresses. You can also block users from accessing these setup areas. -
Custom Login Flows
A login flow directs users through a login process before they access your Salesforce org or Experience Cloud site. You can use a login flow to control the business processes that your users follow when they log in to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they’re redirected to their Salesforce org or site. If unsuccessful, the flow can log out users immediately. -
Set Up a Login Flow and Connect to Profiles
After you create a flow using Flow Builder or Visualforce, designate it as a login flow and associate it with user profiles. When users log in with an associated profile, they’re directed through the login flow. -
Login Flow Examples
You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common uses cases include collecting and updating user data at login, configuring multi-factor authentication, or integrating third-party strong authentication methods. -
Multi-Factor Authentication Customizations
Multi-factor authentication (MFA) is one of the easiest, most effective tools for enhancing login security, and safeguarding your business and data against security threats. As you roll out your Salesforce MFA implementation, you can customize it to meet your business needs. -
Deploy Third-Party, SMS-Based Multi-Factor Authentication
Multi-factor authentication (MFA) enhances security when validating a user’s identity and protects access to your Salesforce org. In addition to a password, SMS-based MFA requires the user to provide a one-time password (OTP) code received on a mobile device. -
Limit the Number of Concurrent Sessions with Login Flows
You can use a login flow to restrict the number of simultaneous Salesforce sessions per user.