Lightning Login for Password-Free Login Control

Control Name

Lightning Login for Password-Free Login

Recommended Configuration

When lightning login is enabled, allow only for users with the lightning Login User Permission is configured in the user profile: Setup Lightning Login restriction: Setup>Session Settings>When Allow Lightning Login Enabled>Set the Allow Only For Users With the Lightning Login User Permission to enabled.

Control Overview

The control objective of restricting Lightning Login to only users with the specific "Lightning Login User" permission is to ensure that passwordless authentication is deployed as a privileged, granular access method rather than an org-wide default. This makes sure that only authorized personnel who have been vetted and assigned the appropriate security profile can bypass traditional password entry, thereby minimizing the attack surface and preventing unauthorized or accidental enrollment in biometric-based authentication by the general user population. This is reduced when SSO is implemented, however, as SSO may not be applied to all profiles, when Lightning Login is enabled, profiles that are not configured with Enable SSO, will have Lightning Login Enabled.

Security Risk If Not Configured

Increased risk of access by unauthorized attacker who has temporarily compromised a user's session to link a rogue device, creating a persistent, high-assurance path that bypasses traditional password policies and makes the account significantly harder to re-secure.

Threat Scenarios

An attacker who has briefly hijacked a user’s session—or a malicious insider on an unattended laptop—enrolls their own biometric-capable device for Lightning Login because the feature is not restricted by specific user permissions. Once enrolled, the attacker can bypass all future password prompts to gain persistent, high-speed access to the Salesforce org, effectively creating a permanent, untraceable backdoor into sensitive data.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk severity depends on the user population size and access privileges granted upon login.

Higher Risk When

• Centralized user authentication (such as SSO) is not in place
• User identity verification is not in place (MFA or others)
• For admin users, the break glass account is not managed in a secured Vault

Low or No Risk When

When Lightning Login at the org level is not enabled This control can be considered low risk when one or more of the following are implemented:

• MFA Enforcement or identity verification is in place: MFA is enforced for Salesforce users
• SSO is in place for all users: Centralized authentication is in enforced for all user profiles
• Break Glass account is protected: Admin users accounts are excluded from SSO, but secured in a Privileged Account Management Vault
• IP Login Restriction at the network layer: IP Login restriction for users with privileges to modify the setup

Business and Integration Considerations

Customers should evaluate users that can login using credentials and minimize direct login with credentials.

Recommended Remediation

Enforce lightning login restriction to authorized users with Lightning Login permission.

Security Health Review Guidance

Security Health Review evaluates the Lightning Login setup ensuring that when enabled, the lightning login is configured to allow only authorized users or users with the lightning login permission. In alignment with zero trust and least privilege practices to secure the platform.