Print this page

How to troubleshoot Two-Factor Authentication Issues

Knowledge Article Number 000229860
Description


Time-based Token will be renamed with "App Registration One-Time Password Generator" in the Salesforce Classic UI as well as in the New Lighting UI.

The "App Registration One-Time Password Generator" can be enabled from your User record:

 

  • From Salesforce classic UI, select Setup | Manage Users | Users | click on the username |  Time-Based Token.
  • From New Lightning UI, click on top-right Gear | Setup Home | Users | Users | click on the username | App Registration One-Time Password Generator


Learn how to enable Two-Factor Authentication

Two commonly known authenticator apps are Salesforce Authenticator and Google Authenticator.

User-added image Important:

 

  • Android users have to install the barcode scanner by "ZXing Team."
  • Keep in mind that the mobile device time must always match the computer time and the official time www.time.gov , otherwise, an invalid token error will be generated.
  • After 5 invalid login attempts ( using 5 times the correct username & password but invalid time-based token ) the user will get locked for 1 hour.

            User-added image
 

User-added image 

  • Let users who aren’t Salesforce admins provide support for two-factor authentication in your org. For example, suppose you want your company’s Help Desk staff to generate temporary verification codes for users who lost or forgot the device they usually use for two-factor authentication. Assign Help Desk staff members the “Manage Two-Factor Authentication in User Interface” permission so that they can generate codes and support end users with other two-factor authentication tasks. 
    Delegate Two-Factor Authentication Management Tasks
  • When you can’t access the device you usually use for two-factor authentication, ask your Salesforce admin to give you a temporary identity verification code. The code is valid for 1 to 24 hours. Your admin sets the expiration time, but you can expire the code early if you no longer need it. Instructions can be found here: Verify Your Identity with a Temporary Code  /  Generate a Temporary Identity Verification Code 
Resolution

Below are some troubleshooting steps that a system administrator can conduct if their users are encountering Two-Factor Authentication issues:

  • From Salesforce classic UI, select Setup | Manage Users | Users | click on the username. 
  • From New Lightning UI, click on top right Gear | Setup Home | Users | Users | click on the username. 
  • Locate the field App Registration One-Time Password Generator ( Time-Based Token ) field on the affected user record.           
  • Click on the Remove option next to App Registration One-Time Password Generator (Time-Based Token). By removing it, the system will generate a new QR code to be scanned by the user upon login.
  • The user has to download the Salesforce Authenticator or Google Authenticator on their mobile device and confirm that they have a QR code scanner. Links: (Apple Version for Google Authenticator) (Android Version for Google Authenticator).
  • After the user logs in with Salesforce username and password, the QR code needs to be scanned, to generate a token:

           User-added image  
  • The user has to use the Salesforce Authenticator app already installed on their mobile device to scan the QR code to create a time-based token code.
  • As soon as the QR code is scanned have the affected user type in the code generated from the Authenticator app in the box displayed under the QR code.
  • Click on "Verify and login" button once the code is entered and the user will be logged in.

Note: If you're getting an error on the mobile device when attempting to replace a old time-based token, please swipe left to remove the time token.


          User-added image          User-added image
 
          

Enhancing Security with Two-Factor Authentication video tutorial (6:56 minutes)
Introduction to Salesforce Authenticator video tutorial

User-added image Instructions to setup Salesforce Authenticator app with user accounts can be found HERE

How to enable Trusted Locations and how to use Push Notifications
 
  • You need to enable "Location" from their mobile device Settings
  • When you log  in from a new device or browser, the Salesforce Authenticator app will send a notification. Please see below:

          User-added image         User-added image



 
See Trusted Locations and how to clear Trusted Locations
 
1. Open the Salesforce Authenticator app
2. Tap the account you want to see the Trusted Locations for.
3. Tap the Gear icon in the top right. 
4. Tap the button for the action you'd like to take. 

     User-added image     User-added image     User-added image  

                                        

 




promote demote