After studying this topic, you should be able to:

Describe how to use various password policies to

implement restrictions related to password
requirements

Identify the ways of controlling where and when

users can log in to Salesforce

Identify different ways of confirming the identity

of users through a second form of authentication

Explain the usage of login forensics and security

health check
 Introduction

Salesforce allows controlling access to an org through username and

password as well as profile and security settings. In a Salesforce profile,
it is possible to limit access by login IPs or login hours.
Organization-wide settings can also be set for IPs. Moreover, it is also
possible to use identity confirmation using a second form of
authorization that can be sent through email, SMS, or the Salesforce
Authenticator app.
 Four Levels of Security
Organization E.g. Login Access
Security Controls
Objects
E.g. Account, Contact
Object
Record
E.g. Salesforce, Marc Benioff
Fields on
a Record
E.g Name, Type, Lead Source
Example Features for Controlling Security Levels
Organization ● Login Hours
Security Controls ● IP Restrictions
● Password Policies
Objects
● Profiles
Object ● Permission Sets
Record ● Org-Wide Defaults
● Role Hierarchy
Fields on ● Sharing
a Record ● Teams
● Field Level Security
● Page Layouts
 Organization Security Controls

Password Policies IP Restrictions

Password policies can be defined at the It is possible to control where users
profile level and the organization level can log into Salesforce by specifying a
to implement restrictions which make range of trusted IP addresses in their
passwords more secure. profile settings. Login hours can also be
defined.

Identity Confirmation Network Settings

Different methods are available to At the organization level, network
allow users to confirm their identity. access settings allow specifying
Using an identity confirmation method trusted IP ranges from where users can
acts as a second form of user login without verifying their identity.
authentication.
 Passwords
Each user in Salesforce is provided with a unique username and password
which must be entered during login.

ADMIN CONFIGURATION
An administrator can configure several settings to
ensure that users’ passwords are strong and secure:

1 4
2 3
Password Login Attempts and
Policies Lockout Periods

Password Password
Expiration Resets
 Password Policies
Password Policies are settings that govern the login and password specifications of a
Salesforce organization’s users.

PASSWORD CHARACTERS
A password can’t contain a user’s username and can’t match a user’s first or last name.

ADMINISTRATOR SET UP
Admins can set up password restrictions and lockout policies different from the Salesforce
defaults. Those are applied to all users or changed by profile.
 Password Policies
Password Policies can be set at an organization or profile level.

Profile Password Policies settings override the

Organization-Wide Password Policies for that
profile’s users.

If Password Policies are not set for a profile,

the organization-wide Password Policies apply.

Changes to the organization-wide password

policies do not affect profile-specific password
policies which may be different.
Organization Password Policies
Profile Password Policies
 Password Requirements
There are default password requirements for new organizations, and they can be
modified in all Salesforce editions except for Personal Edition.

A password must contain The security question answer When users change their
at least eight characters, including can’t contain the user’s password. password, they cannot reuse
one alphabetic character their last three passwords.
and one number.
 Password Expiration

Passwords can expire for all users In Password Policies, it is possible The default is 90 days, but it can be
from Security Controls | Expire All to specify the length of time until a set to 30, 60, 90, 180, ‘One year’, or
Passwords, except for those with user password expires and must be ‘Never expires’.
the ‘Password Never Expires’ changed.
permission.
 Login Attempts and Lockout Periods
Settings for login attempts and lockout period can be specified in Password Policies.

MAXIMUM INVALID LOGIN ATTEMPTS

The number of invalid login attempts before a user is locked out can be specified. It can be set to
‘No Limit’, 3, 5, or 10.

LOCKOUT EFFECTIVE PERIOD

It is possible to specify how long a user is locked out. It can be set to ‘15 minutes’, ‘30 minutes’, ‘60
minutes’, or ‘Forever (must be reset by an admin)’.
Customizing Password Restriction Settings in Password Policies
Modifying password restriction settings can further improve Salesforce org security.

PASSWORD RESTRICTION SETTINGS

Password question requirement
It can be set to ‘None’ or ‘Cannot contain password’.

Obscure secret answer for password resets

This option hides the text when a user types the answer to the security question.

Password complexity requirement

Allows enforcing a certain combination of characters which must be required for passwords. e.g. it can be set to
‘Must include 3 of the following: numbers, uppercase letters, lowercase letters, and special characters’.
Customizing Password Restriction Settings in Password Policies
Modifying password restriction settings can further improve Salesforce org security.

PASSWORD RESTRICTION SETTINGS

Minimum password length
The minimum password length can be set to a value between 5 and 50 characters.

Require a minimum 1 day password lifetime

If this checkbox is selected, users are not allowed to change their password more than once a day.

Enforce password history:

The number of previous passwords that are remembered and cannot be reused. It can be set to any value from
none to 24.
 Resetting Passwords
Password Restriction Considerations

A user’s password It is possible to change When a user’s password Resetting a locked-out

can be reset for better the password of specific is reset, the user receives user’s password
protection or to unlock a users or all users by an email that contains a automatically unlocks
user who has been clicking the ‘Reset link and instructions to the user’s account.
locked out. Password’ button on the reset the password.
‘Users’ page in Setup.
 Learn More

Passwords

Set Password Policies

Password Policy Fields in Profiles

 User Authentication
Methods that Salesforce Administrators can use to authenticate users

I II
SINGLE SIGN-ON MULTI-FACTOR AUTHENTICATION
An existing single sign-on capability can be used to Multi-factor authentication increases an org’s
standardize authentication for Salesforce users. security by requiring a second level of
authentication for every user login.
In order to implement it, either federated
authentication using Security Assertion Markup It can be either service-based or policy-based.
Language (SAML) or delegated authentication can Users provide the second factor by installing a
be utilized. mobile authenticator app, such as the Salesforce
Authenticator app.
They can also use a U2F security key.
 Learn More

Elements of User Authentication

User Authentication
 IP Restrictions
IP restrictions is a way to control access to a Salesforce organization. It can be
specified at the profile level and the organization level.

PROFILE LEVEL ORGANIZATION LEVEL

Login IP address restrictions A list of trusted IP addresses can be
can be defined for a profile. defined for the entire organization.
 Login IP Restrictions in Profiles
A range of allowed IP addresses can be specified on a user’s profile so that a login
from any other IP address is denied.

LOCATION
‘Login IP Ranges’ can be clicked on the profile overview page to add login IP ranges.

MESSAGE FOR DENIED USER ACCESS

When a user is denied access, they see the same error message that appears when the username
or password is incorrect.

ENFORCING LOGIN IP RANGES

It is possible to enforce login IP ranges on every request for all user profiles with IP restrictions
by selecting an option in ‘Session Settings’.
 Login IP Ranges
ADDING IP RANGE
An IP range can be added by entering a valid IP address in the ‘IP Start Address’ and a higher-numbered IP address in
the ‘IP End Address’ field.
 Learn More

Restrict Login IP Ranges in the Enhanced Profile User Interface

 Organization-Level Trusted IP Ranges
Organization-Level Trusted IP Ranges considerations

A list of trusted IP addresses can be Users can be logged in from a If users try to login from outside the
defined at the organization level by trusted IP address without trusted IP range, they are sent an
navigating to ‘Network Access’ receiving a login challenge for activation code. Once the code is
in Setup.
verification of their identity, such as entered, they can access Salesforce.
a code sent to their mobile phone.
 Organization-Level Trusted IP Ranges
Organization-Level Trusted IP Ranges considerations

An activation code is sent every time the user logs in A user will be prompted to verify identity if they
from a device or browser that Salesforce does not have logged in before from the same browser and
recognize, even if the user is logging in from an IP IP address if they have manually deleted cookies
address that Salesforce has seen before, as an IP or the browser is set to delete cookies.
address is not a reliable indicator for
identifying a user.
 Organization-Level Trusted IP Ranges

NOTES
If outside
trusted IP range Then verification / login challenge is sent.

User’s
IP address
If inside Then user is allowed to log in without
defined trusted verifying identity.
IP range
Organization-Level Trusted IP Ranges
 Salesforce Organization Access Checks

Login Login Activation

Denied Denied Code Sent
Activation
Code Entered
Correctly
YES YES YES

LOGIN
SUCCESSFUL
LOGIN
Is login time Is user’s IP Is user’s IP
CREDENTIALS
outside of outside of outside of
ENTERED
Login Hours NO range defined NO trusted range NO
for Profile? for Profile? defined for Org?
 Learn More

Set Trusted IP Ranges for Your Organization

 Login Hours
Login hours considerations

Login hours can be set at the profile In a profile, it is possible to set the If a user tries to login outside of
level but not at the organization days and hours when users with the these hours, they are
level to restrict when users profile can log in to the denied access.
can log in. organization.
 Login Hours
Login hours considerations

When a user is denied access, they To allow users to log in at any time, To prohibit users from logging in on
see the same error message which ‘Clear all times’ can be clicked. a specific day, set ‘Start Time’ to 12
appears when the username or AM and ‘End Time’ to ‘End of Day’.
password is incorrect.
Login Hours
Define Login Hours and IP Range on a Profile

Login Hours defined

on the Profile

IP Range defined on
the Profile
 Learn More

View and Edit Login Hours in the Original Profile User Interface

Restrict Login Hours and IP Ranges

 Identity Confirmation
Identity confirmation is a security layer in addition to username and password.

WHEN IDENTITY CONFIRMATION IS TRIGGERED

Identity confirmation is invoked when a user logs in from an unrecognized browser or device,
and is logging in from outside a trusted IP range.

STORED IN BROWSER COOKIES

It is based on browser cookies, and users will not be asked again unless the cookie is cleared
(either manually or browser deletes cookies) or the user browses in private mode.
 Identity Confirmation
Verification is done via the highest priority verification method available in the
following order:

Salesforce
Authenticator
Mobile App U2F One-Time
Security Key Password
Generator SMS
1 Text Message
2 Email
3
4
5
Identity Confirmation via Email
Identity Confirmation via Mobile SMS
Identify Confirmation via Salesforce Authenticator App
 Switch Back to Email- or SMS-Based Identity Verification
CHANGING IDENTIFICATION VERIFICATION METHODS
Users can still switch back to email-based or SMS-based identity
verification.
Having Trouble Page
Choose a Verification Method
 Learn More

Methods for Verifying Your Identity

Order of Priority Verification Methods

 Login Forensics
Login Forensics allows Salesforce Administrators to monitor login behavior and keep a
Salesforce org secure. Login Forensics provides critical login information.

A way to identify Who logged in more The average Who logged in Who logged in
suspicious login than the average number of logins during non-business using suspicious
activity number of times per user per a hours IP ranges
specified time
period
 Login Forensics

NOTES
There is no user interface in Login Forensics.

Track events using API objects LoginEvent and Platform Event Matrics.
Enable Login Forensics

Under ‘Event Manager’

in Setup, login forensics
can be enabled.
 Security Health Check
Security Health Check helps in identifying and fixing potential vulnerabilities in
key areas of the security settings.

1 4
Session 2 3 File Upload and
Settings Download Security
Settings
Password Certificate and Key
Policies Management
 Security Health Check
Health Check can be used by navigating to ‘Health Check’ in Setup.

HEALTH CHECK SCORE

A summary score is calculated using a proprietary formula and shows how an org measures against a
security baseline, such as the Salesforce Baseline Standard. Up to five custom baselines can be uploaded
and used instead.
Settings that meet or exceed the baseline increase the score, and settings that are at risk lower
the score.
Typically, changing the settings to be less restrictive decreases the score.

A lower score indicates settings at higher risk or further away from the recommended values.
 Security Health Check
In addition to a score, a grade is also provided to more easily assess the org's overall
security status.

The grades correspond to the following

score percentages:

GOOD
70%—79%
POOR VERY GOOD
55%—69% 80%—89%

VERY POOR EXCELLENT

54% and below 90% and above
Security Health Check

Certain security settings

can be fixed automatically.

A setting can be edited

A summary score is from the page directly.
displayed with a grade.
Security Health Check

Up to five custom baselines can be uploaded and

used instead of the Salesforce Baselines Standard.

Actual and recommended

values are shown for each
setting.
 Health Check Risk Categories and Recommended Actions
The Salesforce Baseline Standard consists of recommended values for four
categories of security settings.

HIGH RISK INFORMATIONAL

such as the number of 1 4 such as the days until
expired certificates 2 3 certificate expiration

MEDIUM RISK LOW RISK

such as the minimum such as the password
password length question requirement
Health Check Risk Categories and Recommended Actions
Actions for scores that need remediation

URGENT REMEDIATION
Salesforce recommends the remediation of high risks immediately if the score is 0% - 33%.

HIGH RISK AND MEDIUM RISK REMEDIATION

If the score is 34% - 66%, high risks should be remediated in the short term, and medium risks
should be remediated in the long term.

REUSING PASSWORDS RESTRICTION

If the score is 67% - 100%, health check should be reviewed periodically to remediate risks.
 My Domain
My Domain is a feature that allows the creation of a subdomain for the company’s
Salesforce org. It is required in order to activate other Salesforce features.
MY DOMAIN CAPABILITIES

The My Domain Salesforce identity feature allows adding a subdomain to the Salesforce org.

It allows highlighting the brand of the company and making the org more secure.

It helps in better management of login and authentication of the org.

It replaces the instance URL assigned by Salesforce, like https://eu70.salesforce.com, with a chosen domain
name, like https://NameOfCompany.my.salesforce.com.

It is required for single sign-on (SSO) with external identity providers, social sign-on with authentication
providers like Google and Facebook, and Lightning components in various places like Lightning pages.
 My Domain

NOTE
Production orgs that are created Winter ‘21 or later will get My Domain by default. Salesforce assigns a My
Domain based on the company name if one isn’t chosen during sign-up. It can be changed if a different one is
preferred.
My Domain for Internal Salesforce Org

This example shows the use

of the My Domain feature for
the internal Salesforce org.
 Learn More

My Domain
 Single Sign-On
Single Sign-On allows users in the org to login to Salesforce and other applications
using single user credentials with an external identity provider.

Single Sign-On removes the need to Users only need to memorize one Consistent password policies
log in to every single application password to access the Salesforce across your corporate network
every time. org, authorized network resources, and the Salesforce org.
and external applications.
 Single Sign-On
Single Sign-On allows users in the org to login to Salesforce and other applications
using single user credentials with an external identity provider.

Likelihood for users to use Efficiency for both users and Managing user access to
Salesforce with the ease of administrators. Users do not need sensitive information can be
having a single login. to manually log in to Salesforce done in one place.
every time, thereby reducing the
risk of access issues because of
misspelled user credentials.
 Implementation
These options are available for implementing single sign-on capability to simplify and
standardize user authentication:

FEDERATED AUTHENTICATION DELEGATED AUTHENTICATION

Federated authentication allows affiliated but Delegated authentication allows the usage of a
unrelated web services to share authentication preferred authentication provider.
data. It uses a stronger form of user authentication and
It is automatically enabled for an org. makes the login page private and accessible only
behind a corporate firewall.

Setting is enabled in Setup > Single Sign-On Settings

by first disabling login with Salesforce credentials.
 Implementation
External authentication providers allow users to login to Salesforce using their user
credentials from other services.

Log in with

Username Google

Password OR Paypal

Remember Me Log In Linkedin

Other authentication providers may be used to let users log in to Salesforce org using their
login credentials from an external service provider, such as Google, PayPal, and LinkedIn using
the OpenID Connect protocol.
 Learn More

Single Sign-On