Say goodbye to the hassle of weak passwords, forgotten passwords, and locked-out accounts. Give your users the enhanced speed, convenience, and security of password-free logins. Enable Lightning Login, assign the required permission to your users, and encourage them to individually enroll in Lightning Login.
|Available in: Both Salesforce Classic and Lightning Experience|
|Available in: Contact Manager, Database.com, Developer, Enterprise, Group, Performance, Professional, and Unlimited Editions|
|To edit system permissions in profiles:||“Manage Profiles and Permission Sets”|
|To enable Lightning Login:||“Customize Application”|
Password-free logins rely on Salesforce Authenticator (version 2 or later), the two-factor authentication mobile app that’s available as a free download for iOS and Android devices. Lightning Logins add a layer of security by requiring two factors of authentication for login.
- The first factor is something that the user has—a mobile device that has Salesforce Authenticator installed and connected with the user’s Salesforce account.
- The second factor is something that the user is, such as a fingerprint, or something that the user knows, such as a PIN. The second level of authentication enhances security by requiring access to the mobile device and the user’s fingerprint or PIN.
Lightning Login isn’t limited to orgs using Lightning Experience. It works in Salesforce Classic, too.
From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
Review the default settings for Lightning Login.
Make sure that Allow Lightning Login is enabled.
This setting makes the feature available, although no one can enroll until you assign them the “Lightning Login User” user permission. You can disable Allow Lightning Login at any time, to switch all users back to username and password logins.
Confirm that a High Assurance session security level is appropriate for this login method.
A Lightning Login establishes a High Assurance security level for the user’s session. If needed, you can change the security level to Standard, which is the default security level for the Username Password method that Lightning Login typically replaces.
Assign the “Lightning Login User” permission to users in the user profile (for cloned or custom profiles only) or permission set. Lightning Login isn’t supported for external users.
Consider these points about how Lightning Login relates to other login, identity verification, and two-factor authentication features.
- You can monitor your users’ Lightning Login activity using Login History or Identity Verification History tools.
- If enrolled users attempt a Lightning Login from an unrecognized browser or device, Salesforce requires login using username and password, along with identity verification.
- If an enrolled user previously logged in from a browser and selected Remember me, login hints on the login page show a lightning bolt next to past usernames that are Lightning Login–enabled.
For Lightning Login to display login hints properly in the Apple Safari browser, change the “Cookies and website data” option in the browser. Advise your users to change it from “Allow from websites I visit” to “Always allows.”
- If your org sets a two-factor authentication policy for logins, the Lightning Login method satisfies the second factor requirement. Salesforce does not separately require users with the “Two-Factor Authentication for User Interface Logins” permission to provide a second factor.
- If your org has defined a transaction security policy that requires two-factor authentication, Lightning Login isn’t supported. Enrolled users who attempt a Lightning Login must use log in with username and password instead.