Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Identity Verification Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Identity Verification Control

            The control objective of Identity Verification settings in Salesforce is to enforce risk-based authentication by requiring users to provide secondary proof of identity whenever their login context changes.

            Control Name

            Identity Verification

            Recommended Configuration

            Configure, validate, and regularly review user identity verification setup to make sure that they are set up correctly and align with business processes.

            Control Overview

            The control objective of Identity Verification settings in Salesforce is to enforce risk-based authentication by requiring users to provide secondary proof of identity whenever their login context changes.

            Security Risk If Not Configured

            The primary risk is that a single compromised password becomes a direct gateway to your data, as there is no secondary check to verify that the user is who they claim to be. This allows attackers to log in from unauthorized devices or locations undetected, leading to silent account takeovers and mass data exfiltration.

            Threat Scenarios

            Lack of Identity Verification configured, a single leaked password becomes a path for attackers to log in from any unrecognized device or IP without triggering a second-factor challenge. This allows a hacker to bypass the usual security speed bumps and immediately exfiltrate sensitive data.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Risk severity depends on the type of users and how they access the application, user population size, access privileges granted upon login.

            Higher Risk When

            User verification setup is not configured with strong assertion methods, and excessive permission scopes.

            Low or No Risk When

            This control can be considered low risk when one or more of the following are implemented:

            • IP Login Restriction: IP Login restriction for users with privileges to modify the setup
            • Secure Attribute Mapping: User attributes and provisioning rules are tightly scoped to enforce least privilege.
            • Login timeout: Automatically log users out of the service provider when they log out of Salesforce.
            • MFA Enforcement: MFA is enforced for Salesforce users

            Business and Integration Considerations

            Customers should evaluate business justification for each verification method and ensure alignment with access policies, regulatory requirements, and user experience expectations.

            Recommended Remediation

            Review all configured user verification methods to make sure they align with enterprise security policy.

            Security Health Review Guidance

            Security Health Review identifies key identity verification setup configured in Salesforce to help customers reduce identity federation, which include MFA setup, identity verification requirement for email changes, password reset notification in alignment with Salesforce-recommended security baselines and Zero Trust principles.

            See Also

             
            Loading
            Salesforce Help | Article