Pages

Thursday, September 3, 2015

Salesforce Login Security

Without SSO (Single Sign On), login from Salesforce only required username and password (username need to be in the format of email address, but may different with email address). But Salesforce give additional security when user login that many admins not aware .

IP Ranges
There are 2 type of IP ranges we can define in Salesforce:

1. Login IP Ranges Restriction in Profile 
When IP ranges is added to profile, user assigned with that profile login NOT from defined IP ranges will be denied. User will see standard error message: Your login attempt has failed. The username or password may be incorrect, or your location or login time may be restricted. Please contact the administrator at your company for help.
But admin will notice it in login history with Status = Restricted IP

Note: even if user IP address is in the range of Trusted IP Address (see point 2. below) but not in Login IP ranges (if defined), user still will not able to login and get the same error message.


2. Trusted IP Ranges in Network Access

This setting will be apply to all users. Users logging in from trusted IP addresses are not asked to activate their computers. User just need to enter their password without additional security token to log in to the API or a desktop client such as Connect for Outlook, Connect Offline, Connect for Office, Connect for Lotus Notes, or the Data Loader.

Here is schema copy from Salesforce on the login process to Salesforce.com:



Identity Verification
If you see above diagram, Salesforce will verify the user if never login from an IP address and not in trusted ranges. This additional verification is enhance security on login process. There are 2 methods of verification:

1. SMS
This feature is turned on by default. You can find this in Setup | Security Controls | Session Settings, look for Enable the SMS method of identity confirmation in Identity Confirmation section. To deactivate this, you need to contact Salesforce support.

If admin do not enter mobile number when create the user account, when user login to Salesforce for the 2nd time (the 1st login will ask to change password), they will be asked to enter mobile number. But, user can opt-out from this feature, by click No thanks.


If user click Remind me later, user will be asked to enter mobile number again.


2. Email
For user opt-out from SMS, they will receive the pass code in email for identity verification.


You also can limit all access to Salesforce to only to those IPs in Login IP Ranges. For example, a user logs in successfully from an IP address defined in Login IP Ranges. The user then moves to a different location and has a new IP address that is outside of Login IP Ranges. When the user tries to access Salesforce, including access from a client application, the user is denied. To enable this option, navigate to Setup | Security Controls | Session Settings and select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.


Reference: