Protect the identity of users Salesforce

Learning objectives

After completing this module, you will be able to:

  • Set up multi-factor authentication for your users.
  • Use the Salesforce Authenticator app for MFA logins.
  • Get login information from users who log into your organization.

Protect access to accounts with multi-factor authentication and Salesforce Authenticator

As an administrator, you will walk a fine line between ensuring that your Salesforce org is protected and allowing your users to sign in quickly and easily. The most effective way to protect your organization and its data is by requiring users to provide more than just their username and password. Security experts call this multi-factor authentication, or MFA for short.


To complete the tasks of this unit, you need an Android or iOS mobile device.

What is multi-factor authentication?

It looks like a mathematical equation, right? Regardless of whether mathematics fascinates or terrifies you, you should know that MFA has nothing to do with the algebra you studied back in the day. This authentication is closely related to ensuring that users are who they say they are.

By the way, you may be more familiar with the terms of two-factor or 2FA authentication. Do not worry! Although 2FA is a subset of MFA, we are actually talking about the same thing.

So what exactly are multiple factors? These are different types of evidence that users provide when they log in to confirm their identities.

  • A factor is something that users know. For Salesforce logins, this is a combination of username and password.
  • Other factors are verification methods that a user has in their possession, such as a mobile device with an authentication app installed or a physical security key.

2FA algo que sabe y algo que tiene

You may not know what it’s called, but you’ve probably used multi-factor authentication already. Every time you get money from an ATM, you use something you have (your bank card) plus something you know (your PIN).

Requiring another factor in addition to a username and password adds an important additional layer of security for your organization. Even if a user’s password is lost, it is highly unlikely that an attacker will be able to guess or spoof a factor that a user physically possesses.

Isn’t that an excellent idea? Let’s see how it works.

How multi-factor authentication works

MFA adds an additional step to your Salesforce login process.

  1. A user enters their username and password as normal.
  2. The user is then prompted to provide one of the verification methods that Salesforce supports.

You can allow any or all of these verification methods:

Salesforce AuthenticatorA free mobile app that seamlessly integrates into your login process. Users can quickly verify their identities through push notifications. We’ll talk more about this app shortly.
External TOTP Authentication AppsApps that generate temporary verification codes that users enter when prompted. This code is sometimes called a time-based concurrent password, or TOTP for short. Users can choose from a variety of options, including Google Authenticator, Microsoft Authenticator, or Authy.
Security keysSmall physical tokens that hold the appearance of a USB key. Logging in with this option is quick and easy: users simply connect the key to their computers and press the button on the key to verify their identities. Users can use any security key that is compatible with the FIDO Universal Second Factor U2F standards, such as Yubico’s YubiKey or Google’s Titan Key.

When are users prompted for multi-factor authentication?

When you enable MFA, users are required to provide multiple factors each time they log in. You can set this requirement for UI logins, API logins, or both.

To increase security even more, you can add an MFA requirement for additional circumstances:

  • When users access an application, dashboard or report. This process is called high-security or top-level authentication.
  • During a custom login flow or in a custom application (for example, before reading a license agreement). You will get more information on this later in the path.

Enable multi-factor authentication for each login

Now that you’ve mastered the basics of multi-factor authentication, let’s see how easy it is to set up an MFA requirement for your users.
Here’s a video showing how to enable MFA and set up Salesforce Authenticator as a second factor for MFA logins.

Now let’s go through an example of your own. Suppose you are a Salesforce administrator for Jedeye Technologies, a not company located in a distant galaxy. Your Chief Security Officer has given you a mission: to get every employee to provide more than just their username and password every time they log into the company’s Salesforce org.

Start from the bottom by activating MFA for a new Jedeye Technologies employee, Sia Thripio. You can use Sia’s feedback on her experience to make sure she has it covered when she takes action with the rest of Jedeye’s employees. Start by making sure the session security level is set for MFA and then create a Salesforce user for Sia and enable MFA for her account.

Step 1: Verify that the session security level is set for the multi-factor authentication

First, let’s make sure the correct security level is associated with the multi-factor authentication sign-in method. In most production organizations, this setting is already in effect. But if not, it is important to complete this step before setting up an MFA requirement for any admin user. Otherwise, you can prevent both you and other administrators from logging in.

  1. Under Settings, enter Session Settings in the Quick Find box, then select Session Settings .
  2. Under Session Security Levels, make sure that Multi-Factor Authentication is in the High Security category.

Step 2: Create a user

  1. In Settings, enter Users in the Quick Find box, then select Users .
  2. Click New User .
  3. For first and last name, enter Sia and Thripio respectively.
  4. Enter your email address in the field E-mail. This option is used to get user notifications for Sia.
  5. Create a username for Sia and enter it in the Username field. It should be in the email address format, but it does not have to be a working email address. Make sure the email address is unique to your Trailhead Playground. We are going to use Sia’s first initial, last name and current date in the username like this:
  6. Modify or accept the nickname value.
  7. For User License, select Salesforce Platform .
  8. For Profile, select Standard Platform User . From here, deselect the options to receive Salesforce CRM content alerts. There is no need to fill the inbox with unnecessary email from Salesforce.
  9. Make sure Generate new password and notify user immediately is selected at the bottom of the page . Salesforce sends you an email about the new Sia user, as they have entered their email address in the Email field.
  10. Click Save . Salesforce sends you an email with a link to verify the user and set the Sia password.
    Note : If you get an error that the username already exists, create a user with a different name.
  11. Login as Sia and reset the password.

After setting the password, it is time to activate MFA for the Sia user account.

Step 3: Create a permission set for multi-factor authentication

Enable MFA for users by assigning user permission Multi-factor authentication for user interface logins . You can perform this step by modifying profiles or by creating a permission set that you assign to specific users.

A permission set is a collection of settings and permissions that gives users access to various Salesforce features. Let’s create a permission set with the MFA permission.

  1. If you are logged in as Sia, please log out. Log in again as the system administrator for your Trailhead Playground organization.
  2. Under Settings, enter Permission in the Quick Find box, then select Permission Sets.
  3. Click New.
  4. Label the permission set “MFA Authorization for User Logins.”
  5. Click Save.
  6. Under System, click System Permissions.

You are now on the details page for the MFA Authorization for User Logins permission set.

Click Modify.

Select Multi-factor authentication on user interface logins.

Click Save and then click Save again to confirm the permission changes.

It’s almost done. You just need to assign the permission set.

Step 4: Assign the permission set to the Sia user

For now we will assign the permission set only to Sia. Later, when you’re ready to implement MFA more broadly, you can assign the same set of permissions to other users.

If you are not on the details page for the new permission set, please return to this location.

  1. On the details page of the new permission set, clickManage Assignments .
  2. Click Add Assignments >. In the list of users, select the check box next to the Sia user. (If you want, you can assign up to 1000 users at a time.)
  3. Click Assign .

Great! Activated multi-factor authentication for Sia. The next time Sia logs in, she will be asked to provide a verification method as a second factor, in addition to her username and password.

How does Sia establish a verification method? Let’s see it next.

How Salesforce Authenticator users register for MFA logins

As in the case of an unannounced visit to a city in the clouds, it is a bad idea to require multi-factor authentication without helping users obtain at least one verification method. You probably won’t be frozen or held prisoner, but you may get countless calls when you least want to, like when you’re watching an animated adventure movie. Luckily, Salesforce makes it easy for you to help users. Just ask them to download an authentication app on their mobile devices and connect it to their Salesforce accounts.

No disaster will happen if users don’t download an app right away. They will be asked to register a verification method when they first log in after activating the MFA requirement.

Sia Thripio, our new employee, wants to use the Salesforce Authenticator mobile app so that she can take advantage of the cool push notification feature for quick authentication. Let’s see how the registration and login process works. Use your Android or iOS mobile device as if it were Sia’s phone. You are downloading the Salesforce Authenticator app and connecting it to Sia’s Salesforce account.

Please note that you will have to switch between two devices in the following steps. On her PHONE, she works as Sia in the Salesforce Authenticator app. At her DESKTOP, log in as Sia to her Trailhead Playground in a browser.

  1. PHONE: Download and install Salesforce Authenticator for iOS from the App Store or Salesforce Authenticator for Android from Google Play.
  2. Tap the application icon to open Salesforce Authenticator.
  3. DESKTOP: If logging into your Trailhead Playground as a system administrator is still active, log out.
  4. DESKTOP: Use the Sia’s username and password to log in.Pantalla de inicio de sesión en escritorio de Salesforce

5.- DESKTOP: Salesforce prompts you to connect Salesforce Authenticator to Sia’s account.
6.- PHONE: Take a look at the app tour to see how Salesforce Authenticator works.
7.- PHONE: Enter Sia’s (yours) cell phone number to back up the accounts that are connected to Salesforce Authenticator. Then tap on the notification when prompted to complete verification. You can skip creating an approval code for now. (Later Sia can create an approval code if she wants to set up a backup to restore her accounts.)
8.- Tap the arrow to add the Sia account to Salesforce Authenticator. The application displays a two-word phrase. (Can you think of any particularly poetic or witty phrase? Tell us what it is! #Trailhead #FraseFormidable #SalesforceAuthenticator.)
9.- DESKTOP: Enter the phrase in the Two-word phrase field.Frase de dos palabras de Salesforce Authenticator

10.- DESKTOP: Click Connect.

11.- PHONE: Salesforce Authenticator displays the details about Sia’s account: her username and the name of the service provider (in this case, Salesforce).

Cuenta de conexión de Salesforce Authenticator

12.- PHONE: Touch Connect .

13.- DESKTOP: Sia is logged into her Salesforce account! You can start working now.

Now whenever Sia logs into her Salesforce account, she’ll get a notification on her phone. You’ll open Salesforce Authenticator and check the details of the activity. If everything looks fine, you will tap Approve and finish logging in.

What will happen if someone else tries to log in with Sia’s username and password? She guessed it – she’ll get a notification about it too, and can instruct Salesforce Authenticator to deny the login request. Phew!

Let’s take a closer look at the data that Salesforce Authenticator tracks.

  1. The action that Salesforce Authenticator is verifying. Other actions can be shown here if you configure even more stringent security. For example, you can require authentication when someone tries to access a record or dashboard. This process is called “top-level” authentication.
  2. The user who is trying to log in.
  3. The service the user is trying to access. In addition to Salesforce, you can use Salesforce Authenticator with the LastPass password manager and other services that require more secure authentication.
  4. The device or browser from which you are trying to log in.
  5. Phone location.
Puntos de datos de Salesforce Authenticator

Automate the authentication process

Suppose Sia regularly logs in from the same location, such as from the office, her home, or her favorite dimly lit coffee shop. Tapping Approve on her phone could turn out to be a tedious task. If you allow Salesforce Authenticator to use location services from your phone, you can instruct the app to automatically verify your activities when you are in a specific location. That is, if everything is normal, you will not need to take the phone out of your pocket. Salesforce Authenticator can handle the MFA requirement for it automatically!

Let’s try it.

  1. DESKTOP: Log out of Sia’s account and log back in as Sia.
  2. PHONE: When prompted, select Always approve from this location >.
  3. DESKTOP: Log out of Sia’s account and log in again. Voilà! You are not prompted for a password. Salesforce Authenticator recognizes Sia’s login to her Salesforce account again with the same device and in the same location. Access is granted automatically.

Whenever Sia tries to sign in from another location, she can add that location to the Salesforce Authenticator list of trusted locations. To view this list and other account details, Sia selects the information icon that opens the account details page.

Información de cuenta de Salesforce Authenticator

Trusted locations and log-in activity history are listed on the account details page. Verified Activities shows the number of times Salesforce Authenticator has verified Sia’s login to Salesforce. Automations shows the number of times Salesforce has automatically signed in to Sia from a trusted location.

Detalles de cuenta de Salesforce Authenticator

What happens if Sia stops trusting a location? Easy. Swipe left. You can then delete all trusted locations at once by selecting Icono de configuración de Salesforce Authenticator and then Delete Trusted Locations.

Sometimes an automated verification might not work, such as when the data connection is interrupted. This is not a problem. Sia just has to write the TOTP code that Salesforce Authenticator displays.

Want to restrict automated user verifications to trusted IP addresses only, such as a corporate network? Or do you want to avoid them altogether? Can do it. When you log in as an administrator, go to Session Settings in your organization and change what is allowed.

Configuración de la sesión que controla verificaciones automatizadas basadas en ubicación

What happens if Sia loses her cell phone?

Good question. As you know, users have accidents or end up trapped on deserted planets and lose their phones. Everything happens at the same time. If Sia loses her phone, she gets a new one, or accidentally deletes Salesforce Authenticator, she has a few options. Sia can restore her accounts from the backup she made earlier, or she can disconnect her account from Salesforce Authenticator and then re-register the app.

If Sia has enabled account backups in her Salesforce Authenticator app, she’s in fine form. All you have to do is reinstall Salesforce Authenticator on your new phone. When you open the app, she will see the option to restore her accounts from your backup. Sia enters the password she used when she backed up her accounts and her accounts reappear on her phone.

What happens if Sia doesn’t back up her accounts? Here’s what she can do to help.

  1. Log in as an administrator.
  2. Under Settings, enter Users in the Quick Find box, then select Users .
  3. Click Sia’s name.
  4. On Sia’s user details page, click Disconnect next to Application Registration: Salesforce Authenticator.

The next time Sia logs in, if she doesn’t have another verification method connected, she is prompted to reconnect Salesforce Authenticator.


If you want to uninstall the Salesforce Authenticator app, remove the MFA permission set from Sia’s user details first. Otherwise, you cannot log in as Sia on future drives.

Monitor who logs into your organization

An important part of an administrator’s job is knowing who is logging on to the organization. The identity verification history is used for this.

  1. Log in as a system administrator for your Trailhead Playground organization.
  2. Under Settings, enter Verification in the Quick Find box, then select Identity Verification History .

Check the Location column. It is set by default to the user’s country, but you can get more detailed information by creating a custom view.

Congratulations, administrator! You saw how easy it is to activate MFA for your users. We urge you to explore options for your MFA implementation, such as activating U2F compliant security keys as an alternative verification method. Security keys are an excellent option if users do not have a mobile device or cell phones are not allowed on the premises. Let’s now learn how to further increase control over the login process in the next unit “Customize the login process with My Domain”.