Print this page

Being Asked for an Identity Verification Code on Every Login

Knowledge Article Number 000232553

Since an IP address isn’t a reliable indicator of a user’s identity, we’ve changed our risk-based authentication protocol with the Spring '16 release.

When users log in to Salesforce from a browser or device we don’t recognize, they may be prompted to verify identity, even if they log in from an IP address authenticated before the Spring ‘16 release. Users may be prompted to verify their identity more frequently than in the past, particularly those at organizations who automatically delete browser cookies for security purposes or do not specify trusted login IP ranges under Network Access.

Identity Verification Improvement with Spring '16 User-added image


To reduce the number of identity verification prompts for your users, Salesforce recommends that you implement one or more of the following solutions.

1. Add login IP restrictions to user profiles. Specify a range of trusted IP addresses from which profile users can log in without being prompted to verify their identity. For detailed steps on how to do this, review the Restrict Login IP Addresses in the Original Profile User Interface article.

2. Change browser privacy settings to save cookies for Salesforce sites. This may be done at the admin or end user level. Before making any changes in your browser, verify with your IT department that the changes comply with your security policies.
- From Chrome browser
Settings | Show advanced settings ... | Privacy | Content Settings | Cookies | Managed Exceptions | Hostname: * | Behavior: Allow | Done
- From I.E. browser
Tools menu | Internet Options | Privacy | Sites button | Address of website: *. | Allow | OK

3. Set trusted IP ranges for your org. Specify a range of IP addresses from which all of your users can log in without being prompted to verify their identity. For detailed steps on how you may do this, review the Set Trusted IP Ranges for Your Organization article.

promote demote