User Authentication

Note: A previous login from the same IP address may no longer bypass computer activation.  Please see Improved Security for Device Activation in the Spring’16 Release Notes.

71 Responses to “User Authentication”

  1. archita@kns August 3, 2017 at 7:00 am #

    Hi John,
    Below is my understanding regarding Login process in salesforce. Please correct me , if i am wrong.

    If a user try to login into SF

    1> Outside login hour
    NO matter what Ip Range(profile/org level) ———–> user block

    2> Inside login hour
    If user have Login Ip range(profile-level) set , it will not look at trusted-Ip range (org-level) at all.

    (a) outside Login Ip range —-> User block

    (b) Inside Ip range:
    Login successful: old device, old browser

    Login challenge: (verfication code)
    old device, New browser
    New device [As per new release]

    3> Inside login hour
    If No Login Ip range set on profile level, then it will look at trusted-Ip range (org-level)

    (a) outside trusted-Ip range —-> Login challenge (verfication code)

    (b) Inside trusted-Ip range:
    Login successful: old device, old browser
    Login challenge:
    old device, New browser
    New device [ As per new release]

    • JohnCoppedge August 9, 2017 at 9:03 pm #

      No identity verification required within login ip range or trusted ip range.

      It used to be that if you had ever connected from an ip address (regardless of login ip or trusted ip ranges) that if you reconnect from that ip it would bypass identity confirmation. That is no longer true.

  2. archita@kns August 1, 2017 at 7:38 am #

    Can you please explain me , what is computer activation?
    https://success.salesforce.com/answers?id=90630000000gnd7AAA

    What it actually does?

    • JohnCoppedge August 9, 2017 at 8:40 pm #

      Identity verification (aka device activation) is a security measure to prevent unauthorized access – it requires that you key in a few digits to log in

  3. medavis2012 June 12, 2017 at 4:44 am #

    Regarding VPN and restricting log in ip addresses at the profile level, the video says at 2:42, “With that same configuration, a company can enforce that users connect to the internal network through a VPN before connecting to Salesforce.” Does that mean that the IP log in restrictions at the profile level don’t matter if the user is accessing their work computer through a VPN?

    • JohnCoppedge June 12, 2017 at 12:50 pm #

      When you connect through a VPN, it will change your IP address. It will appear as if you are connecting from within your company’s network to Salesforce.

  4. mkandil7 April 17, 2017 at 9:34 pm #

    Hello,
    I’ve seen this question many times and can’t find the answer: when the session expires while user is working, he’s logged out and asked to log in again when he tries to move from the actual page he’s in, but is the work lost or saved ?

    Thank you !

    • JohnCoppedge April 18, 2017 at 12:20 pm #

      It should not be saved. The session would be invalidated at the end of the login time, therefore whatever action was taken (e.g. save) would be rejected.

  5. puppals March 30, 2017 at 10:20 pm #

    So if I am login from same system/laptop/ip address first day i used
    1. IE Browser
    2. 2nd day I used Chorme
    3. 3rd day I used Firefox
    On 2nd and 3rd days the login is successful without any verification. Please confirm.

    • JohnCoppedge April 3, 2017 at 6:42 pm #

      Not 100% clear- prior to the change listed above (improved security for device activation) this would have been the case if you were connecting from the same IP. Now you will likely have to activate on all 3 connections:

      Improved Security for Identity Verification

      Since an IP address isn’t a reliable indicator of a user’s identity, we’ve changed our risk-based authentication protocol. When your users log in to Salesforce from a device or browser we don’t recognize, they are now prompted to verify identity, even if they log in from an IP address we’ve seen before.

  6. ybiyani@hotmail.com March 19, 2017 at 10:01 pm #

    Is the following summary correct?
    Trusted IP – removes the need for device authentication
    Profile IP- restricts access only from the specified login

  7. Snowden82 January 20, 2017 at 5:55 pm #

    “If user is trying to login within the login hours set in profile, the IP range is NOT within the login IP range but IS trusted IP range, then user’s login will be blocked since IP range does not match with login IP range set in user’s profile.”

    I saw this question in the comments and was reminded that this question was on the certification. However, when I answered that the User would be denied access (based on Profile IP Range) I got it wrong. I thought I read in here that the Trusted IP Range overrides Profile IP Range. Could you please clarify?

    • JohnCoppedge January 20, 2017 at 7:49 pm #

      Check out the chart here: https://developer.salesforce.com/blogs/tech-pubs/2015/09/login-ip-ranges-security.html

      Trusted IP ranges are not evaluated if Login IP Ranges are set- in short your answer was correct.

      How do you know you got the answer wrong?

      Checked the comments below which seem to reinforce this discussion (if you see anything contradicting please let me know and I will update)

      “Restrictions override trusted IP ranges.

      Trusted IP ranges are org wide, restrictions are set at profile.”

      • Snowden82 January 20, 2017 at 8:17 pm #

        My apologies, the chart is very clear. Thank you. My confusion came from: Trusted IP Ranges: REMOVES Login Restrictions from Specific IP Addresses (I thought restrictions from Profile IP range as well). It was a question about which overrides the other, but now I get it.

  8. sneha06 October 13, 2016 at 2:51 pm #

    Hi John,

    When we clicked on Reset Password button on User record which are the fields that was updated except LASTPASSWORDCHANGEDATE.

    May be this question is not relevant with admin certification but if you let me know it will be helpful.

    Thanks

  9. sneha06 October 1, 2016 at 1:56 pm #

    1. A user profile has login hour restrictions set to Monday through Friday 8:00 AM to 5:00 Pm. It is Tuesday and the user has logged in at 4:30PM and it is now 5:01PM
    Which behavior of the application should the user expect?

    A. The user will be able to continue working and start new sessions.
    B. The user will be logged out and any unsaved work-in-progress will be saved
    C. The user will be able to continue working, but will not be unable to start ay new sessions.
    D. The user will be logged out and any unsaved work-in-progress will be lost

    In my opinion the ans should be C, but many people says D.

    John Could you please confirm which one is right.

    • JohnCoppedge October 3, 2016 at 8:18 pm #

      Probably D- when the user clicks “save” they will get logged out. If no action is taken the browser would continue to show the cached page.

  10. sneha06 September 21, 2016 at 2:18 am #

    Hi John,

    Could you please help me with below query.

    If a org has implemented Single Sign On in Salesforce and if a user has forgot his password then who can reset his password as we know user himself are not able to reset his password.

    Somewhere I found that Salesforce admin can reset there password and somewhere I found the password needs to be reset in the application that is used to verify the identity, such as active directory (AD).

    So which one is the true.

    And if Admin can reset there password then how? Do they have access in AD.

    Thanks

    • JohnCoppedge September 27, 2016 at 1:19 am #

      If SSO is turned on for the profile, you cannot reset the password. It would need to be reset in the source system connected to facilitate SSO (commonly active directory)

      • sneha06 September 27, 2016 at 3:07 am #

        Thanks for your reply.

        But is there any option like Salesforce admin can access the source system connected to facilitate SSO from Salesforce itself?

  11. golwalaonline August 21, 2016 at 4:19 am #

    Hi John, a quick question.

    Below is what Network Access setting states.

    “Users logging in to salesforce.com with a browser from trusted networks are allowed to access salesforce.com without having to activate their computers.”

    It does not mention explicitly login with API through trusted IP. Though, it says login with browser. I would appreciate, if you could please clarify the same.

    • JohnCoppedge August 21, 2016 at 12:10 pm #

      “From trusted network” implies ip address as that is how trusted networks are defined

  12. golwalaonline August 21, 2016 at 4:01 am #

    Excellent explanation of login methods.

  13. rameshcn78 August 10, 2016 at 8:25 pm #

    Hi John, is it possible to display the most recent comments per topic at the top of the page

  14. sachin.qatester June 27, 2016 at 12:45 am #

    Hi John,

    Based on my understanding I think below points mentioned are true, please let me know if otherwise.

    User’s profile is set with login hours, login IP range and org wide trusted IP ranges are also set by administrator.

    (1) If user is trying to login outside of login hour set in user’s profile, even if the IP address matches with login IP range based on user’s profile and is within the trusted IP range as well, user will be prevented from logging in at all, login will be blocked.

    (2) If user is trying to login within the login hours set in profile, the IP range is within the login IP range but not trusted IP range, then user will require activation to log in.

    (3) If user is trying to login within the login hours set in profile, the IP range is NOT within the login IP range but is trusted IP range, then user’s login will be blocked since IP range does not match with login IP range set in user’s profile.

    Thanks a lot.

    • prashanthgowda165 July 19, 2016 at 10:25 pm #

      Hi Sachin,

      My understanding and answers on your points:

      Point 1: Yes, the login will be denied

      Point 2: If he is not in the trusted IP Range but within Login IP Range, then the user will require activation in the below combinations,
      -> New IP Address, New Browser
      -> New IP Address, Old Browser
      -> Old IP Address, New Browser

      No activation is required when it is: Old IP Address, Old Browser

      Point 3: Yes, Login will be denied if it is not within Login IP Range since it overrides trusted IP Range.

      Regards,
      Prashanth

    • JohnCoppedge August 19, 2016 at 8:19 pm #

      prashanthgowda165 correct – only one note:

      #2- not clear anymore, given that SFDC is not using IP to validate activation any more. Login will be allowed, activation may be required.

  15. Firstrock May 21, 2016 at 7:57 am #

    Would there be a record created in login history if user tries to login outside of profile IP range.

    Wondering if answer is jus D or C & D

    A user reports an error message when attempting to log in. the
    Administrator checks the user’s login history, but no record of the attempted login.
    What could be the reason for this?
    a. The user is attempting to log in with the wrong password
    b. The user is attempting to log in outside of profile login hours
    c. The user is attempting to log in outside of the profile IP login range
    d. The user is attempting to log in with the wrong username

    • tj88835 May 31, 2016 at 3:32 pm #

      Hi Firstrock,

      I guess if their is no record of the attempted login, then the USERNAME must be wrong because even if the user tries logging in with the correct username but is outside of the profile login range, then atleast the user’s login history would show the error with that username. Clearly it is the case of WRONG USERNAME and i believe the correct answer should be only D

    • tj88835 May 31, 2016 at 3:53 pm #

      Latest question from the certification –

      A user at Universal container reports an error message when attempting to log in. the administrator checks the user’s login history, but there is no record of the attempted login.
      What could be cause of this issue?
      The user is attempting to log in outside of the profile login range
      The user is attempting to log in outside of the profile IP
      The user is attempting to log in with wrong username
      The user is attempting to log in with wrong password

      Correct answer is c- wrong username

      Guess this might help

  16. MKlobe March 28, 2016 at 12:46 am #

    For logging in via API even from a trusted network that you’ve successfully logged in from previously, do you still need to enter the security token or can that be bypassed as you’ve previously logged in beforehand (or is that completely superseded due to the new release?)

    • JohnCoppedge April 10, 2016 at 11:42 pm #

      Whenever you log in from a trusted network no taken is needed (even first time).

      New release no longer bypasses activation (which is not done via API connection) through prior ip usage

  17. g.levy@mamacash.org January 24, 2016 at 3:00 pm #

    The permission (profile/permission set) “API Enabled” is required for a user to authenticate via the API.

    Everytime I use dataloader.io at my office I need to add token. Is there away that I won’t be needed to add token after first time access (so no need to for token if I use dataloader.io on another day)?

    • g.levy@mamacash.org January 24, 2016 at 3:33 pm #

      Is it related to this:

      Modify Session Security Settings-
      Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.

    • JohnCoppedge January 25, 2016 at 7:44 pm #

      Yes- you would need to add the IP address to the list of trusted IP ranges.

      However, this would be wherever dataloader.io was connecting from (which could be a range of addresses).

  18. g.levy@mamacash.org January 24, 2016 at 11:44 am #

    Hi John,

    After i read the comments above and of course watched the video I would like to see if I got it right:

    Scenario 1: I have OWD trusted IP address. User profile A has an IP range restriction that is partially overlap with OWD trusted IP. User Profile B has an IP range restriction within the OWD trusted IP address and lastly user profile C has no IP range restriction.
    User A: log in from IP address that is within the profile range but it not in the OWD trusted IP – could the user login?
    User B: login for the first time within the allowed IP range – would the user get an activation message?
    User A or User B: login outside their profile IP range but within the trusted OWD IP – would they still be able to login?

    Apologies in advance for repetitive questions, i’m a bit slow:)
    Regards,
    Gil

    • JohnCoppedge January 25, 2016 at 7:43 pm #

      HI Gil,

      Restrictions override trusted IP ranges.

      Trusted IP ranges are org wide, restrictions are set at profile.

      A- yes (but would require activation)
      B-yes can login, don’t believe activation is required (I believe all IPs are considered trusted if restrictions on the profile are enabled – would need to double check the docs on this)
      Outside of allowed profile ip ranges on login- deny login (if restrictions are enabled, then you can’t access the org outside of those ranges)

      Cheers,

      John

  19. coolpranu@yahoo.com December 19, 2015 at 7:03 pm #

    The slide just before “Thank You” could have been a bit slower. Otherwise, great content.

  20. sandeep arora July 17, 2015 at 3:38 am #

    Yes, in my opinion.
    If it is a different IP address, then you must activate browser.

  21. swayam pati July 7, 2015 at 4:51 am #

    If a device is already verified and cookie is stored, if the same device with new IP address is used for login, will the Verification code be asked? ( No trusted range is set)

  22. Nithya Gopinath June 17, 2015 at 3:23 am #

    Which feature restricts a user’s ability to log
    into Salesforce?
    Choose 2 answers:
    A. Trusted IP ranges
    B. Login hours
    C. Login IP ranges
    D. Password policies

    • Nithya Gopinath June 17, 2015 at 3:30 am #

      A& b is correct or b & c is correct…please explain me

      • JohnCoppedge June 23, 2015 at 8:49 pm #

        b&c – trusted IPs make it easy for a user to login (removes need for computer activation and security token), but does not outright prevent logins.

        Login hours and Login IP Ranges will prevent a user from logging in.

  23. Maura McNulty April 3, 2015 at 4:59 am #

    Are Authentic Settings for External Systems i.e. the Parent Object Type discuss elsewhere or not on the exam? Thank you.

    • JohnCoppedge April 3, 2015 at 1:53 pm #

      Are you talking about SSO or connected apps? Touched on but largely out of scope for ADM201.

  24. anusha pudota August 5, 2014 at 5:41 pm #

    Hi John, in the end while summarizing, shouldn’t that be, “for login hours and login IP ranges, no need to use security token while logging in from API, and no need of computer activation while logging in from Website. Please correct me if I am wrong. Thanks!

    • JohnCoppedge August 7, 2014 at 8:57 pm #

      For login from a trusted ip – you will not need computer activation or a security token.

      Login hours is evaluated separately and should not impact your login IP address or other behavior (outside of login time).

  25. Michelle Chaplin April 22, 2014 at 6:56 pm #

    Just wanted to note that Salesforce now also sends verification codes to mobile phones via SMS. I don’t know if there’s an option to select a preference for email vs. SMS in the user profile.

    • JohnCoppedge April 26, 2014 at 9:37 pm #

      Thanks Michelle – I’ve added an objective to the guide to address SMS activation and two factor authentication.

  26. Paresh Joshi April 4, 2014 at 5:35 pm #

    Hi John,

    I got question on point 1 from Siva’s post on my certification test today.
    I answered accordingly. Of course, I don’t know whether it got recorded correctly or not.

    I passed the exam. Many thanks for the great site.
    It was extremely helpful in preparing for the exam in a short time.
    Even though I have years of experience, exams are a different beast and one needs structured help. You have done a great job with that.

    regards,

  27. Siva October 17, 2013 at 3:39 pm #

    John,

    1. If a user whose profile has Login IP Range (say support staff can access only from a certain building), and this user attempts to login from a computer in their corporate office (which is in the Trusted IP Range), will the user-login be successful?

    2. Is there an order by which IP Range check is performed by Salesforce? Say Login IP Range first and Trusted IP Range second, Public IP third and others next? If the first one verification fails, does the verification go to the second step or stop?

    3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?

    Thanks,

    • JohnCoppedge October 18, 2013 at 4:25 pm #

      Hi Siva,

      1. My understanding is that Login IP ranges will override Trusted IP ranges – e.g. even if the IP Range is trusted, it must also be a login IP range. I haven’t specifically tested this scenario and can’t find a place to confirm this in the documentation, however.

      2. I’m sure there is, but I don’t think it is documented. It shouldn’t matter too much – the preference of feature (as q #1 indicated) should drive behavior.

      3. Yes – a new browser requires new activation. Cookies are browser independent. You can login from one browser, activate, and then immediately login from another browser (as your IP address will allow access).

      • Siva October 21, 2013 at 6:05 pm #

        Thanks, John.

        For 1 & 2, when you get time, can you verify and let us know please?

        3. So, the cookies are only IP address dependent and
        not Browser or Computer dependent.

        • JohnCoppedge April 11, 2014 at 4:39 pm #

          Sorry I should clarify that point-

          Cookies are browser dependent. However, activations also look at IP addresses.

          Therefore- if you have activated EITHER the current browser OR the current IP address, then you will bypass activation.

          • JohnCoppedge April 11, 2014 at 4:41 pm #

            Here’s how this would work:

            3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?

            Does accessing Salesforce from Chrome browser require further activation?
            -Yes. If you are accessing SFDC from the same IP as you did from FF, Chrome will be activated. If it is a different IP address, then you must activate Chrome.

            Is this cookie linked to only one browser?
            -Yes

        • JohnCoppedge April 11, 2014 at 4:45 pm #

          Finally, for 1&2, found documentation. My assumption was correct:

          https://help.salesforce.com/apex/HTViewHelpDoc?id=admin_loginrestrict.htm&language=en

          When users log in to Salesforce, either via the user interface, the API, or a desktop client such as Connect for Outlook, Salesforce for Outlook, Connect Offline, Connect for Office, Connect for Lotus Notes, or the Data Loader, Salesforce confirms that the login is authorized as follows:
          Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied.
          If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a time-based token (which the user may also be prompted to create if it hasn’t already been added to the account) upon logging in.
          If the user has the “Two-Factor Authentication for API Logins” permission and a time-based token has been added to the account, Salesforce returns an error if a time-based token is not used to access the service in place of the standard security token.
          Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed.
          If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from an IP address they have not used to access Salesforce before:
          If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce, and has not cleared the browser cookies.
          If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
          If the user’s login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is blocked.
          Whenever a login is blocked or returns an API login fault, Salesforce must verify the user’s identity:

      • Munira Majmundar October 1, 2015 at 6:35 pm #

        If a new browser requires new activation, would cookies not be BROWSER DEPENDENT? Browser independent cookie imply that once a cookie is placed in one browser, you can log in from any browser without re-activation.

        Pl. clarify.

        Regards,
        Munira

        • Munira Majmundar October 1, 2015 at 8:58 pm #

          Ok… My bad. I checked this issue on the Success Community. The following question is similar to the one asked by Siva. Here is the response I got from Gabriel Nitu (Salesforce).

          Orginial Question:

          IP Range QuestionIf I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?

          I can login by activating my computer
          I can login without activating my computer
          I can’t login at all
          I can login with a security token

          Based on my knowlege, the Correct Answer would be the Second one:
          I can login without activating my computer

          Reaons for my answer:

          If I am login in from an IP Range that is already on my Profile range, I do not need computer activation (i.e., no verification code needed).

          @gabriel Nitu – Am I correct?

          Regards,
          Munira

          Response from Gabriel Nitu:

          If I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?

          I can login by activating my computer
          I can login without activating my computer ( an user will never be challenge with the 5 digit verificatio code )
          I can’t login at all
          I can login with a security token
          =====================
          Are salesforce cookies browser dependent or independent?
          For instance, on the first attempt, I login into salesforce using IE. So, a cookies is placed in my browser.
          Next day, I login in again; however, this time, I login from Chrome. Will a new cookie be placed for Chrome?
          Is a cookie tied to a browser? So, everytime if I use a new browser, a new cookies is placed?

          Next day you will be challenged with the verification code only if the IP address is different than the previous one.
          If the IP address is the same, the login will be successful.
          The IE cookies are independent from other browser cookies.

          • JohnCoppedge October 1, 2015 at 9:34 pm #

            Looks good, nice find!

Leave a Reply