Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Session Security Level Policies Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Session Security Level Policies Control

            The control objective of High-Assurance Session Security is to enforce "Step-up Authentication" for high-risk operations.

            Control Name

            Session Security Level - High Assurance Session Security

            Recommended Configuration

            Enable High Assurance Settings, through Setup>Identity Verification for these:

            • Reports and Dashboards—Controls access to reports and dashboards. This setting is also available on the Reports and Dashboards Access Policies page. You can change this setting in either location.
            • Manage Encryption Keys—Controls access to the Platform Encryption page, the Certificate and Key Management Setup page, and the TenantSecret object.
            • Manage Auth. Providers—Controls access to the Auth. Providers page, the User Details Setup page, and the AuthProvider object.
            • Manage Certificates—Controls access to the Certificate and Key Management Setup page, Single Sign-On Settings Setup page, and the Certificate object.
            • Manage Connected Apps—Controls access to the Connected Apps Setup pages and the App Manager Setup page.
            • Manage Data Export—Controls access to the Data Export Setup page.
            • Manage IP Addresses—Controls access to the Network Access Setup page.
            • Manage Login Access Policies—Controls access to the Login Access Policies Setup page.
            • Manage Password Policies—Controls access to the Password Policies Setup page and profile details.
            • Manage Permission Sets and Profiles—Controls access to the Permission Sets and Profile Setup pages and related objects.
            • Manage Roles—Controls access to the Roles Setup page, the UserRole object, and the Role object in Metadata API.
            • Manage Sharing—Controls access to the Sharing Settings Setup page, the SharingRules object, and the CustomObject’s sharingModel field in Metadata API.
            • Manage multi-factor authentication in API—Controls access to the VerificationHistory, TwoFactorInfo, and TwoFactorTempCode objects.
            • Manage multi-factor authentication in User Interface—Controls access to the Identity Verification History Setup page and the VerificationHistory, TwoFactorInfo, and TwoFactorTempCode objects.
            • Manage Users—Controls access to the Users Setup page.
            • Unlock Users and Reset Passwords—Controls permission to reset passwords and unlock users on the Users Setup page.
            • View Health Check—Controls access to the Health Check Setup page

            Control Overview

            The control objective of High-Assurance Session Security is to enforce "Step-up Authentication" for high-risk operations, ensuring that sensitive actions like data exports or administrative changes require a secondary multi-factor challenge even within an active session. This granular access control prevents a single successful login from granting unconditional power, effectively neutralizing threats from session hijacking or unauthorized physical access to an unlocked workstation.

            Security Risk If Not Configured

            Without High-Assurance session security, a single successful login—even from a trusted device—grants a user access privileges to sensitive operations like exporting reports or managing encryption.

            Threat Scenarios

            An attacker who hijacks an active user session—or a malicious insider on an unlocked terminal—can silently execute high-impact actions like mass data exports or permission changes because no secondary authentication is required for these specific operations.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Risk severity depends on user privilege levels, sharing rules, and the authentication mechanisms used.

            Higher Risk When

            Lack of secure authentication for Salesforce authentication is used with weak password standards, MFA is not enforced, trusted IP ranges are not set up.

            Low Risk When

            This control can be considered low risk when one or more compensating controls are implemented, including:

            • Multi-Factor Authentication: MFA is enforced at the IdP or via Salesforce high-assurance authentication policies.
            • Login IP Allowlist: Restrict the IP address of user profile to ensure that it is from a trusted network.
            • Single Logout: Terminate all sessions when a user logs out.

            Business and Integration Considerations

            Customers should consider their business process and sensitive operations policies and standards within their companies.

            Recommended Remediation

            Implement the High-Assurance settings as needed to secure sensitive operations and to align with enterprise security policies and standards.

            Security Health Review Guidance

            Implement the High-Assurance settings as needed.

            See Also

             
            Loading
            Salesforce Help | Article