2FA Login requirements and Custom Policies for Single Sign-On, Social Sign-On and Communities
2FA can be applied to all Salesforce user interface authentication methods that include username and password, delegated authentication, SAML SSO, Social Sign-On through an Auth Provider, to users in Salesforce orgs and Communities.
To enable 2FA for users assigned to a particular profile, edit the Session security level required at login profile setting to High Assurance.
Users with mobile devices can use Salesforce Authenticator app or another authenticator app for 2FA. Internal users can connect the app to their account in the advanced user details page of their personal settings.
Users can use registered U2F security keys for 2FA.
Community members with High Assurance profile requirements are prompted to connect an authenticator app during login. When 2FA is enabled for community, admins cant use login as feature to access the community.
The High Assurance profile requirement applies to user interface logins. OAuth token exchanges aren’t subject to the requirement. OAuth refresh tokens that were obtained before a High Assurance requirement is set for a profile can still be exchanged for valid API access tokens. Tokens are valid even if they were obtained with a standard-assurance session. To require users to establish a high-assurance session before accessing the API with an external application, revoke existing OAuth tokens for users with that profile. Then set a High Assurance requirement for the profile. Users have to log in with two-factor authentication and reauthorize the application.
2FA Login Requirements for API Access
Salesforce admins can set the Two-Factor Authentication for API Logins permission to use a second authentication challenge for API access to Salesforce. API access includes the use of applications like the Data Loader and developer tools for customizing an organization or building client applications.
The Two-Factor Authentication for User Interface Logins permission is a prerequisite for the Two-Factor Authentication for API Logins permission.
2FA Verification methods
2FA is a feature available to all Salesforce Customers. Salesforce supports multiple methods of verifying two-factor authentication including
Salesforce Authenticator is a smart and simple app that can be used with two-factor authentication on your Salesforce org. 2FA increases the security of your Salesforce deployment, while the Salesforce Authenticator app drives a better user experience for your end users.
You can download and install the Salesforce Authenticator mobile app from Google Play or the App Store to supported Android and iOS devices.
The Salesforce Authenticator mobile app is supported on various mobile platforms, with some device, operating system, and mobile browser requirements.
An Internet connection is necessary to communicate with Salesforce for user verifications of account activity and location-based automated verifications. Verification codes (time-based one-time passwords, or TOTPs) can be generated without an Internet connection on the mobile device.
Salesforce Authenticator tells the user
What action needs to be approved
What user is requesting the action
From which service is the requested action coming
What device the user is using
From what location would the user approve or deny this request.
Activating Salesforce Authenticator enables the brand new Lightning Login experience, allowing users to log into Salesforce securely without using passwords.
Connect your Salesforce account to the Salesforce Authenticator mobile app to use the app for two-factor authentication. In some orgs, you’re prompted to connect your account as you log in. In other orgs, you connect the account through your personal settings (using App Registration: Salesforce Authenticator and click Connect on user advanced details).
We can back up Connected Accounts in the Salesforce Authenticator mobile app. If we lose, damage, or replace mobile device, we can restore Connected Accounts on another mobile device.
Connected Accounts are active on only one device at a time. If you restore your Connected Accounts on a second device, you can no longer access them from the previous device.
To restore your Connected Accounts on a new device, restore your accounts before creating new Connected Accounts on the new device. You can’t restore Connected Accounts from a backup after creating new Connected Accounts.
Custom connection names and custom usernames are not preserved; neither is the sort order of your connections. These settings return to their initial values. You can rename and resort your connections after you restore them.
With the help of Einstein, control whether Salesforce Authenticator automatically trusts locations that are used three or more times. Use the Einstein Automation Settings button on the Settings page to enable or disable this option. When enabled, locations that are trusted three or more times are automatically trusted for future logins. If disabled existing trusted locations are preserved
Universal Second Factor (U2F) Tokens
As a Salesforce admin, we can allow users to use a U2F security key anytime they’re challenged to verify their identity, including two-factor authentication and activations. Instead of using Salesforce Authenticator or one-time passwords sent by email or SMS, users insert their U2F security key into a USB port to complete verification.
The Universal Second Factor (U2F) authentication standard is part of the FIDO Alliance and features the security of public-key cryptography, which strongly resists phishing. U2F security keys, which commonly plug into a USB port, are easy to deploy and work well in environments where mobile devices aren’t allowed. Users can use the same security key with multiple service providers and multiple Salesforce orgs and accounts.
Users can self-provision their own security keys. These devices don’t require upfront registration by IT or admins.
Security keys can look similar to other USB authentication devices that users carry on a keychain. Try to look for the FIDO U2F logo indicating that the device is compatible with the U2F protocol
Security keys aren’t a biometric device, even though some have a button that requires the user’s touch to activate the device. A
For now, this identity verification method is supported only in Chrome version 41 or later because it’s the only browser that natively supports U2F.
Select Let users use a security key from Session settings. This setting is available if My Domain is enabled.
Same security key can be used with multiple service providers and multiple Salesforce orgs and accounts. We can register one key per account.
The TOTP algorithm computes a one-time password from a shared secret key and the current time.
Generate a temporary verification code for users who can’t access the device they usually use for two-factor authentication. Admins can set when the code expires, from 1 to 24 hours after it is generated. The code can be used multiple times until it expires.
Temporary verification codes are valid for two-factor authentication only. They aren’t valid for device activations. That is, when users log in from an unrecognized browser or app and we require identity verification, they can’t use a temporary code.
Admins use Generate link on the Temporary Verification Code field on user record and set the expiration time between 1 and 24 hours.