Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Considerations for Using a Custom One-Time Password Delivery Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Considerations for Using a Custom One-Time Password Delivery Provider

            Before you configure a custom one-time password (OTP) delivery handler to send SMS messages for Experience Cloud use cases, review these considerations.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: Professional, Enterprise, Unlimited, and Developer Editions

            Security Considerations

            • If you use custom OTP providers, your Apex implementation has access to the OTP, which isn't the case if you use the Salesforce default provider. With a custom OTP provider, your Apex handler implementation, not Salesforce, performs identity verification. You're responsible for the security and integrity of your code and implementation.
            • You can choose to deliver OTPs via alternative delivery methods, such as iMessage, Rich Communication Services (RCS), and WhatsApp. Before choosing any alternative delivery methods, carefully consider the security implications.
            • If you send an SMS message via a custom provider, and the user's phone number isn't verified, Salesforce doesn't attempt to verify it. Salesforce can’t make sure that the OTP gets delivered to a phone number that's verified by Salesforce. As a security best practice, we recommend that you verify all phone numbers and configure your handler to send OTPs only to verified phone numbers.

            To understand differences in verification for custom OTP providers and the default Salesforce provider, review these tables.

            Custom OTP Provider Verification
            Use Case Apex System.UserManagement Methods TwoFactorMethodsInfo Verification Requirement TwoFactorMethodsInfo Post-Verification Result
            User-Verified Number (HasUserVerifiedmobileNumber) Admin-Verified Number (HasVerifiedMobileNumber) User-Verified Number (HasUserVerifiedmobileNumber) Admin-Verified Number (HasVerifiedMobileNumber)
            Self-registration initSelfRegistration and verifySelfRegistration Not required Unchanged true
            Passwordless login initPasswordlessLogin and verifyPasswordlessLogin One of these fields must be true Unchanged true
            Verification method registration Not required Unchanged true
            Verification (including multi-factor authentication) initVerificationMethod and verifyVerificationMethod One of these fields must be true Unchanged true
            Default OTP Provider Verification
            Use Case Apex System.UserManagement TwoFactorMethodsInfo Verification Requirement TwoFactorMethodsInfo Post-Verification Result
            User-Verified Number (HasUserVerifiedmobileNumber) Admin-Verified Number (HasVerifiedMobileNumber) User-Verified Number (HasUserVerifiedmobileNumber) Admin-Verified Number (HasVerifiedMobileNumber)
            Self-registration initSelfRegistration and verifySelfRegistration Not required true Unchanged
            Passwordless login initPasswordlessLogin and verifyPasswordlessLogin Required Not required true Unchanged
            Verification method registration Not required true Unchanged
            Verification (including multi-factor authentication) initVerificationMethod and verifyVerificationMethod Required Not required true Unchanged

            Other Implementation Considerations

            • This feature is supported only for Salesforce Customer Identity. You can't use it for internal users, also known as employees.
            • This feature is supported for all Experience Cloud user licenses and the External Identity license. It doesn't require the Identity Verification Credits add-on license.
            • Because this feature relies on a custom provider to deliver the message, Salesforce Customer Support can't troubleshoot issues with delivery. To fix delivery issues, work with your provider.
            • You must contact Salesforce Customer Support to use this feature. If Support gives you access to this feature, you have the option to configure a custom OTP provider for all Experience Cloud sites in your org. To keep your OTP delivery method consistent, if you request access to this feature, we recommend using a custom OTP provider for all your Experience Cloud sites. However, if you don't configure a custom OTP delivery Apex handler for a site, it continues to use the Salesforce default delivery service.
            • If Support gives you access to this feature, it isn't automatically enabled. To use this feature, you must add a working custom OTP delivery handler to your Experience Cloud site's settings.
            • If you switch to a using a custom OTP provider, we don't recommend that you switch back to the Salesforce default provider.
             
            Loading
            Salesforce Help | Article