Saturday, November 21, 2015

Salesforce: Two Factors Authentication - 2FA

For Singapore residence, when login to internet banking from Singapore banks, after enter username and password successfully, system will request user to enter security token, it can be generated using a device or delivered by SMS, usually it would be 6 or 8 digits. This is one of usage of two factors authentication (2FA), aka OTP (One Time Password) with what you know (username and password), plus what you have (device), to prove the right person with access and enhance security when username and password only is not secure enough.

For some organization, two factors authentication is required. But, can we have 2FA when login to To build two factors authentication as implemented by banks will need a huge cost and a lot of time, but to implement this on is free of charge. Salesforce has this feature out of the box for all editions. If you are one of the awesome admin, you can configure this for less than an hour (not include training or communication with your users), and you do not need a developer to write any code.

1. Setup
Enable Permission
Create a Permission Set or enable Profile with Two-Factor Authentication for User Interface Logins permission. Users assigned with this profile or added with this permission set will required to enter time-based password.

How user will receive this one-time password? Instead of SMS, user need to install Salesforce Authenticator app in their smart phone as trusted device linked to your Salesforce account, for now only iOS and Android phone.

Install Salesforce Authenticator app
Search for Salesforce Authenticator in App Store for iOS device or in Google Play for Android device.

2. Usage
First Login after Setup
When user login to for the first time, after permission granted, user need to enter two-word phrase.

Open the Authenticator app in your smart phone, then tap + New Account, enter the phrase shown in the app to Salesforce connect page, then click Connect button. Then you also tap Connect button in the app. Salesforce will email you that new verification method was added to your account.

Once verified, admin or user can check in the user detail page, link next to App Registration: Salesforce Authenticator has changed from Connect to Disconnect.

If you have access to multiple login, the mobile app can handle multiple login with the same device, you can swipe the account to left to delete it.

Normal Login
After successful enter username and password, user will be present with a screen that tell user need to use Authenticator app from user phone to approve login to Salesforce.

Tap Approve button in phone app to continue, once approved this will auto let you login to

In Summary:
1. Open from (or your custom my domain)
2. Enter username and password, then Log In
3. Approve from your device with Authenticator app

  • after enter username and password successfully, Salesforce will challenge for approval from device, in the login history this step will show with "two-factor required".
  • after approve from device, login history will show "Success".

  • Salesforce will wait for 90 seconds, otherwise it will tell you "We canceled your request because we didn't receive your approval within 90 seconds".
  • For some reason if you can't approve from the device, you can change the verification method by using code from Authenticator app.

3. Recovery
Let's say user delete the Authenticator app incidentally, or have issue with the mobile phone, or lost his mobile phone.

In Salesforce
Only user with Manage User permission, go to user detail and look for App Registration: One-Time Password Generator, then click Disconnect link, this will delete Disconnect link. User need to re-register from Authenticator app when login to

In mobile phone
Re-install the Authenticator app, and re-do registration process again as above. As admin, you will notice the Disconnect link re-appear again in user detail, after user successfully re-register his device.

Last update: 28 Feb 2017 with Spring '17 release and using Salesforce Authenticator app version 2.8.0 on iOS.


No comments:

Post a Comment

Page-level ad