Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API (Enable OAuth Settings): Enable for Device Flow - Deselected Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API (Enable OAuth Settings): Enable for Device Flow - Deselected Control

            This security setting manages the availability of the device authorization flow, which allows users to authorize a connected application on a resource-constrained device.

            Control Name

            Connected Apps: API (Enable OAuth Settings): Enable for Device Flow - Deselected

            Recommended Configuration

            Enable for Device Flow - Deselected.

            Control Overview

            This security setting manages the availability of the device authorization flow, which allows users to authorize a connected application on a resource-constrained device by entering a short code on a separate web-connected secondary device.

            Security Risk If Not Configured

            Enabling insecure device login flows for integrations lead to a vulnerability where unauthorized device linking facilitates full account session takeover by bypassing standard browser-based security controls.

            Threat Scenarios

            An attacker uses social engineering to convince a user to enter a malicious authorization code into a legitimate Salesforce verification page, thereby granting the attacker’s rogue device persistent access to the user’s session and data.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to restrict this flow enables generation of long-lived access and refresh tokens without the protection of robust mutual authentication, potentially leading to undetected lateral movement within the org environment.

            Higher Risk When

            When the connected application is granted broad scopes or when the company lacks real-time monitoring to detect anomalous code-entry patterns from untrusted geographic locations.

            Low Risk When

            If the company mandates multi-factor authentication for all verification attempts and enforces strict IP-based restrictions for the secondary devices used to complete the authorization process.

            Business and Integration Considerations

            While this flow is designed for hardware with limited input capabilities like smart displays or command-line tools, modern security standards favor more secure methods such as the authorization code flow with proof key for code exchange.

            Recommended Remediation

            Go to the API (Enable OAuth Settings) section of the Connected App and make sure the checkbox for Enable for Device Flow is deselected to prevent this specific authorization method.

            Security Health Review Guidance

            Security Health Review identifies the restriction of device login flows as a strongly recommended standard to minimize the company attack surface and prevent the exploitation of secondary-device verification for session hijacking.

            See Also

             
            Loading
            Salesforce Help | Article