Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Define how and when users verify their identity for an entire org or Experience Cloud site.
Required Editions
| Available in: all editions |
| User Permissions Needed | |
|---|---|
| To modify identity verification settings: | Customize Application |
In addition to these settings, you can send async email verifications to ensure that users are registered with a valid email address. See Verify Email Addresses with Async Email.
- From Setup, in the Quick Find box, enter Identity, and then select Identity Verification.
- Customize the identity verification settings and save your changes.
| Field | Description |
|---|---|
| Let Salesforce Authenticator automatically verify identities using geolocation | Allows Salesforce Authenticator to use the phone's location services to automatically verify a user's identity. If a user saves and automates a request, the app automatically approves future requests with matching factors. If some of the factors don't match the saved request, the user must respond to a push notification or enter a TOTP code. |
| Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only | Allows Salesforce Authenticator to use trusted IP ranges to verify a user’s identity. When users are located within trusted IP address ranges, they aren't prompted to verify their identity. If users are outside the trusted IP address range, they're prompted to verify their identity. |
| Let users verify their identity with a built-in authenticator such as Touch ID or Windows Hello | Permits the use of a built-in authenticator for multi-factor authentication (MFA) and identity verification. Users can verify their identity with a biometric reader such as a fingerprint, iris, or facial recognition scanner that's built into their device. Some built-in authenticators also let users enter a PIN or password. |
| Let users verify their identity with a physical security key (U2F or WebAuthn) | Permits the use of a U2F or WebAuthn security key for multi-factor authentication (MFA) and identity verification. Users insert their registered security key into the appropriate port to complete verification. |
| Let users verify their identity by text (SMS) | Available only for external users logging in to customer or partner Experience Cloud sites. Allows users to receive an identity verification code in a text message. Users
must verify their phone number before they can receive identity verification codes by text.
This setting is enabled by default for all orgs. A verification code is valid for 24 hours.
If the code isn’t used during that time, you can generate a new verification code by
reinitializing For a list of supported countries, see Countries Supported for SMS Identity Verification. To disable SMS as a method of verification, contact Salesforce support. The email method of identity verification can’t be disabled. |
| Prevent identity verification by email when other methods are registered | Allows users to get verification codes by email only if no other identity method has
been verified. Other verification methods include Salesforce Authenticator, SMS, time-based
one-time password (TOTP), and physical key (U2F). This setting is enabled by default for all
orgs. A verification code is valid for 24 hours. If the code isn’t used during that time,
you can generate a new verification code by reinitializing initSelfRegistration. |
| Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org | Requires all users in your Salesforce org to provide an additional verification method when logging in directly to the UI with their username and password. Users who are already enabled via the Multi-Factor Authentication for User Interface Logins user permission experience no change. The Waive Multi-Factor Authentication for Exempt Users user permission overrides this setting. For details about this setting, see Enable MFA for Your Entire Salesforce Org. Multi-factor authentication is contractually required when users access Salesforce. To help customers satisfy the requirement, this setting is automatically enabled for production orgs. For full details about the MFA requirement, see the Salesforce Multi-Factor Authentication FAQ. |
| Show all verification method registration options instead of starting with built-in authenticators | By default, verification method registration starts with a screen to register a built-in authenticator. This setting changes the experience so users can choose from a list of available methods, such as security keys and Salesforce Authenticator. Methods are available only if you enable them. |
| Require identity verification during multi-factor authentication (MFA) registration | Requires users to confirm their identity before adding an MFA verification method to their account. If this setting is disabled, users must log in again to add an MFA verification method. |
| Let users authenticate with a certificate | Enables certificate-based authentication to use PEM-encoded X.509 digital certificates to authenticate individual users to your org. |
| Check the revocation status of certificates | Checks certificate revocation status using the Online Certificate Status Protocol (OCSP) or a Certificate Revocation List (CRL). |
| Require identity verification for email address changes | Requires users to log in again and confirm their identity before their email address change takes effect. Users verify their identity using a registered verification method, such as Salesforce Authenticator, SMS, or email. If the user’s verification method is email, the verification code is sent to the user’s previously registered email address rather than the new email address. |
| Require email confirmations for email address changes (applies to users in Experience Builder sites) | Requires Experience Cloud site users to confirm that they own the new email address. When users change their email address, they receive a confirmation link at their new email address. After they click the link, their new email address takes effect. If an admin changes the site user's email address, the site user doesn't receive an email confirmation. Email confirmations are enabled by default for orgs created in Winter ’20 and later. For orgs created before Winter ’20, Salesforce recommends that you enable this option as a security precaution. This option doesn’t apply to employees. By default, site users also receive an email confirmation when they change their own username. If an admin changes the username of a site user, the site user doesn't receive an email confirmation. This feature allows admins to change usernames for site users without notifying them. However, if an admin changes an employee's username, the employee receives an email confirmation. As of the Spring '22 release, users are prompted to verify their unverified email addresses. You can’t disable this setting by calling REST API via Apex. For more information, see this known issue. |
| Require security tokens for API logins from callouts (API version 31.0 and earlier) | Requires the use of security tokens for API logins from callouts in API version 31.0 and earlier. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default. |
| Display a confirmation page during password reset | Displays an intermediate confirmation page to users after they click the password reset link that's sent to their email. The password reset link remains valid until the user clicks Reset Password on the confirmation page, or until it expires in 24 hours. This setting helps prevent users and email security tools from accidentally invalidating the password reset link. We recommend that you keep this setting enabled. If you disable this setting, the link becomes invalid when it's clicked or scanned. If a user clicks the link and doesn't complete the password reset, they must restart the process. |
