Note: A previous login from the same IP address may no longer bypass computer activation. Please see Improved Security for Device Activation in the Spring’16 Release Notes.
75 Responses to “User Authentication”
Leave a Reply
You must be logged in to post a comment.
Hi John,
Below is my understanding regarding Login process in salesforce. Please correct me , if i am wrong.
If a user try to login into SF
1> Outside login hour
NO matter what Ip Range(profile/org level) ———–> user block
2> Inside login hour
If user have Login Ip range(profile-level) set , it will not look at trusted-Ip range (org-level) at all.
(a) outside Login Ip range —-> User block
(b) Inside Ip range:
Login successful: old device, old browser
Login challenge: (verfication code)
old device, New browser
New device [As per new release]
3> Inside login hour
If No Login Ip range set on profile level, then it will look at trusted-Ip range (org-level)
(a) outside trusted-Ip range —-> Login challenge (verfication code)
(b) Inside trusted-Ip range:
Login successful: old device, old browser
Login challenge:
old device, New browser
New device [ As per new release]
No identity verification required within login ip range or trusted ip range.
It used to be that if you had ever connected from an ip address (regardless of login ip or trusted ip ranges) that if you reconnect from that ip it would bypass identity confirmation. That is no longer true.
Can you please explain me , what is computer activation?
https://success.salesforce.com/answers?id=90630000000gnd7AAA
What it actually does?
Identity verification (aka device activation) is a security measure to prevent unauthorized access – it requires that you key in a few digits to log in
Regarding VPN and restricting log in ip addresses at the profile level, the video says at 2:42, “With that same configuration, a company can enforce that users connect to the internal network through a VPN before connecting to Salesforce.” Does that mean that the IP log in restrictions at the profile level don’t matter if the user is accessing their work computer through a VPN?
When you connect through a VPN, it will change your IP address. It will appear as if you are connecting from within your company’s network to Salesforce.
Hello,
I’ve seen this question many times and can’t find the answer: when the session expires while user is working, he’s logged out and asked to log in again when he tries to move from the actual page he’s in, but is the work lost or saved ?
Thank you !
It should not be saved. The session would be invalidated at the end of the login time, therefore whatever action was taken (e.g. save) would be rejected.
So if I am login from same system/laptop/ip address first day i used
1. IE Browser
2. 2nd day I used Chorme
3. 3rd day I used Firefox
On 2nd and 3rd days the login is successful without any verification. Please confirm.
Not 100% clear- prior to the change listed above (improved security for device activation) this would have been the case if you were connecting from the same IP. Now you will likely have to activate on all 3 connections:
Improved Security for Identity Verification
Since an IP address isn’t a reliable indicator of a user’s identity, we’ve changed our risk-based authentication protocol. When your users log in to Salesforce from a device or browser we don’t recognize, they are now prompted to verify identity, even if they log in from an IP address we’ve seen before.
Is the following summary correct?
Trusted IP – removes the need for device authentication
Profile IP- restricts access only from the specified login
replace “device authentication” with “device activation” and yep
and “specified login” with “specified IP ranges”
“If user is trying to login within the login hours set in profile, the IP range is NOT within the login IP range but IS trusted IP range, then user’s login will be blocked since IP range does not match with login IP range set in user’s profile.”
I saw this question in the comments and was reminded that this question was on the certification. However, when I answered that the User would be denied access (based on Profile IP Range) I got it wrong. I thought I read in here that the Trusted IP Range overrides Profile IP Range. Could you please clarify?
Check out the chart here: https://developer.salesforce.com/blogs/tech-pubs/2015/09/login-ip-ranges-security.html
Trusted IP ranges are not evaluated if Login IP Ranges are set- in short your answer was correct.
How do you know you got the answer wrong?
Checked the comments below which seem to reinforce this discussion (if you see anything contradicting please let me know and I will update)
“Restrictions override trusted IP ranges.
Trusted IP ranges are org wide, restrictions are set at profile.”
My apologies, the chart is very clear. Thank you. My confusion came from: Trusted IP Ranges: REMOVES Login Restrictions from Specific IP Addresses (I thought restrictions from Profile IP range as well). It was a question about which overrides the other, but now I get it.
Hi John,
When we clicked on Reset Password button on User record which are the fields that was updated except LASTPASSWORDCHANGEDATE.
May be this question is not relevant with admin certification but if you let me know it will be helpful.
Thanks
1. A user profile has login hour restrictions set to Monday through Friday 8:00 AM to 5:00 Pm. It is Tuesday and the user has logged in at 4:30PM and it is now 5:01PM
Which behavior of the application should the user expect?
A. The user will be able to continue working and start new sessions.
B. The user will be logged out and any unsaved work-in-progress will be saved
C. The user will be able to continue working, but will not be unable to start ay new sessions.
D. The user will be logged out and any unsaved work-in-progress will be lost
In my opinion the ans should be C, but many people says D.
John Could you please confirm which one is right.
Probably D- when the user clicks “save” they will get logged out. If no action is taken the browser would continue to show the cached page.
This link https://success.salesforce.com/answers?id=90630000000gheLAAQ
prefer logged out “At 5.00 PM user will be automatically signed out, if he didn’t save the record then he will loose the data.”
Other link did not agree the logout
https://developer.salesforce.com/forums?id=906F0000000AfiFIAS
“I think user will remanin logged in but can’t do anything. He will be able to navigate to the pages, but won’t be able to perform any action, like update delete, insert etc.. not even new record. But user will be in read only mode. I must say we are in controversy again, and I really liked that some posted this.”
So really confused which is correct.
I have tested this in the past – once the login hours time frame passes, the session is invalidated. They might not get logged out automatically (at least in classic they won’t), but if they try to view a new page, save a record, etc. – it will log them out
This is still not clear. The implication is that they are NOT logged out automatically. Here is a Note from the Data Security Trailhead
If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.
I believe this answer “At 5.00 PM user will be automatically signed out, if he didn’t save the record then he will loose the data.” is not technically correct, which is what is causing the confusion.
At 5pm they will no longer be able to perform any actions but will be left on the current page until they attempt to perform another action – then they will have to login
Hi John,
Could you please help me with below query.
If a org has implemented Single Sign On in Salesforce and if a user has forgot his password then who can reset his password as we know user himself are not able to reset his password.
Somewhere I found that Salesforce admin can reset there password and somewhere I found the password needs to be reset in the application that is used to verify the identity, such as active directory (AD).
So which one is the true.
And if Admin can reset there password then how? Do they have access in AD.
Thanks
If SSO is turned on for the profile, you cannot reset the password. It would need to be reset in the source system connected to facilitate SSO (commonly active directory)
Thanks for your reply.
But is there any option like Salesforce admin can access the source system connected to facilitate SSO from Salesforce itself?
No, not to my knowledge
Hi John, a quick question.
Below is what Network Access setting states.
“Users logging in to salesforce.com with a browser from trusted networks are allowed to access salesforce.com without having to activate their computers.”
It does not mention explicitly login with API through trusted IP. Though, it says login with browser. I would appreciate, if you could please clarify the same.
“From trusted network” implies ip address as that is how trusted networks are defined
Excellent explanation of login methods.
Hi John, is it possible to display the most recent comments per topic at the top of the page
Not currently but not a bad idea either, will look into it
Just changed- I think this makes sense, thanks for the suggestion.
Hi John,
Based on my understanding I think below points mentioned are true, please let me know if otherwise.
User’s profile is set with login hours, login IP range and org wide trusted IP ranges are also set by administrator.
(1) If user is trying to login outside of login hour set in user’s profile, even if the IP address matches with login IP range based on user’s profile and is within the trusted IP range as well, user will be prevented from logging in at all, login will be blocked.
(2) If user is trying to login within the login hours set in profile, the IP range is within the login IP range but not trusted IP range, then user will require activation to log in.
(3) If user is trying to login within the login hours set in profile, the IP range is NOT within the login IP range but is trusted IP range, then user’s login will be blocked since IP range does not match with login IP range set in user’s profile.
Thanks a lot.
Hi Sachin,
My understanding and answers on your points:
Point 1: Yes, the login will be denied
Point 2: If he is not in the trusted IP Range but within Login IP Range, then the user will require activation in the below combinations,
-> New IP Address, New Browser
-> New IP Address, Old Browser
-> Old IP Address, New Browser
No activation is required when it is: Old IP Address, Old Browser
Point 3: Yes, Login will be denied if it is not within Login IP Range since it overrides trusted IP Range.
Regards,
Prashanth
prashanthgowda165 correct – only one note:
#2- not clear anymore, given that SFDC is not using IP to validate activation any more. Login will be allowed, activation may be required.
Would there be a record created in login history if user tries to login outside of profile IP range.
Wondering if answer is jus D or C & D
A user reports an error message when attempting to log in. the
Administrator checks the user’s login history, but no record of the attempted login.
What could be the reason for this?
a. The user is attempting to log in with the wrong password
b. The user is attempting to log in outside of profile login hours
c. The user is attempting to log in outside of the profile IP login range
d. The user is attempting to log in with the wrong username
Hi Firstrock,
I guess if their is no record of the attempted login, then the USERNAME must be wrong because even if the user tries logging in with the correct username but is outside of the profile login range, then atleast the user’s login history would show the error with that username. Clearly it is the case of WRONG USERNAME and i believe the correct answer should be only D
Correct d for this q
Latest question from the certification –
A user at Universal container reports an error message when attempting to log in. the administrator checks the user’s login history, but there is no record of the attempted login.
What could be cause of this issue?
The user is attempting to log in outside of the profile login range
The user is attempting to log in outside of the profile IP
The user is attempting to log in with wrong username
The user is attempting to log in with wrong password
Correct answer is c- wrong username
Guess this might help
Yep c – spot on
Correct
For logging in via API even from a trusted network that you’ve successfully logged in from previously, do you still need to enter the security token or can that be bypassed as you’ve previously logged in beforehand (or is that completely superseded due to the new release?)
Whenever you log in from a trusted network no taken is needed (even first time).
New release no longer bypasses activation (which is not done via API connection) through prior ip usage
The permission (profile/permission set) “API Enabled” is required for a user to authenticate via the API.
Everytime I use dataloader.io at my office I need to add token. Is there away that I won’t be needed to add token after first time access (so no need to for token if I use dataloader.io on another day)?
Is it related to this:
Modify Session Security Settings-
Require security tokens for API logins from callouts (API version 31.0 and earlier) In API version 31.0 and earlier, requires the use of security tokens for API logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In API version 32.0 and later, security tokens are required by default.
That does sound related, yes.
Yes- you would need to add the IP address to the list of trusted IP ranges.
However, this would be wherever dataloader.io was connecting from (which could be a range of addresses).
Hi John,
After i read the comments above and of course watched the video I would like to see if I got it right:
Scenario 1: I have OWD trusted IP address. User profile A has an IP range restriction that is partially overlap with OWD trusted IP. User Profile B has an IP range restriction within the OWD trusted IP address and lastly user profile C has no IP range restriction.
User A: log in from IP address that is within the profile range but it not in the OWD trusted IP – could the user login?
User B: login for the first time within the allowed IP range – would the user get an activation message?
User A or User B: login outside their profile IP range but within the trusted OWD IP – would they still be able to login?
Apologies in advance for repetitive questions, i’m a bit slow:)
Regards,
Gil
HI Gil,
Restrictions override trusted IP ranges.
Trusted IP ranges are org wide, restrictions are set at profile.
A- yes (but would require activation)
B-yes can login, don’t believe activation is required (I believe all IPs are considered trusted if restrictions on the profile are enabled – would need to double check the docs on this)
Outside of allowed profile ip ranges on login- deny login (if restrictions are enabled, then you can’t access the org outside of those ranges)
Cheers,
John
The slide just before “Thank You” could have been a bit slower. Otherwise, great content.
Yes, in my opinion.
If it is a different IP address, then you must activate browser.
Only if they are also logging in from a new browser
If a device is already verified and cookie is stored, if the same device with new IP address is used for login, will the Verification code be asked? ( No trusted range is set)
No – the previously stored cookie will bypass the validation.
Which feature restricts a user’s ability to log
into Salesforce?
Choose 2 answers:
A. Trusted IP ranges
B. Login hours
C. Login IP ranges
D. Password policies
A& b is correct or b & c is correct…please explain me
b&c – trusted IPs make it easy for a user to login (removes need for computer activation and security token), but does not outright prevent logins.
Login hours and Login IP Ranges will prevent a user from logging in.
Are Authentic Settings for External Systems i.e. the Parent Object Type discuss elsewhere or not on the exam? Thank you.
Are you talking about SSO or connected apps? Touched on but largely out of scope for ADM201.
Hi John, in the end while summarizing, shouldn’t that be, “for login hours and login IP ranges, no need to use security token while logging in from API, and no need of computer activation while logging in from Website. Please correct me if I am wrong. Thanks!
For login from a trusted ip – you will not need computer activation or a security token.
Login hours is evaluated separately and should not impact your login IP address or other behavior (outside of login time).
Just wanted to note that Salesforce now also sends verification codes to mobile phones via SMS. I don’t know if there’s an option to select a preference for email vs. SMS in the user profile.
Thanks Michelle – I’ve added an objective to the guide to address SMS activation and two factor authentication.
Hi John,
I got question on point 1 from Siva’s post on my certification test today.
I answered accordingly. Of course, I don’t know whether it got recorded correctly or not.
I passed the exam. Many thanks for the great site.
It was extremely helpful in preparing for the exam in a short time.
Even though I have years of experience, exams are a different beast and one needs structured help. You have done a great job with that.
regards,
Congrats Paresh! Thanks for the feedback
John,
1. If a user whose profile has Login IP Range (say support staff can access only from a certain building), and this user attempts to login from a computer in their corporate office (which is in the Trusted IP Range), will the user-login be successful?
2. Is there an order by which IP Range check is performed by Salesforce? Say Login IP Range first and Trusted IP Range second, Public IP third and others next? If the first one verification fails, does the verification go to the second step or stop?
3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?
Thanks,
Hi Siva,
1. My understanding is that Login IP ranges will override Trusted IP ranges – e.g. even if the IP Range is trusted, it must also be a login IP range. I haven’t specifically tested this scenario and can’t find a place to confirm this in the documentation, however.
2. I’m sure there is, but I don’t think it is documented. It shouldn’t matter too much – the preference of feature (as q #1 indicated) should drive behavior.
3. Yes – a new browser requires new activation. Cookies are browser independent. You can login from one browser, activate, and then immediately login from another browser (as your IP address will allow access).
Thanks, John.
For 1 & 2, when you get time, can you verify and let us know please?
3. So, the cookies are only IP address dependent and
not Browser or Computer dependent.
Sorry I should clarify that point-
Cookies are browser dependent. However, activations also look at IP addresses.
Therefore- if you have activated EITHER the current browser OR the current IP address, then you will bypass activation.
Here’s how this would work:
3. Scenario: My computer is already activated for IE browser. Does accessing Salesforce from Chrome browser require further activation? The reason for this clarification is the reference materials say a cookie is placed in the browser while activation. Is this cookie linked to only one browser?
Does accessing Salesforce from Chrome browser require further activation?
-Yes. If you are accessing SFDC from the same IP as you did from FF, Chrome will be activated. If it is a different IP address, then you must activate Chrome.
Is this cookie linked to only one browser?
-Yes
Finally, for 1&2, found documentation. My assumption was correct:
https://help.salesforce.com/apex/HTViewHelpDoc?id=admin_loginrestrict.htm&language=en
When users log in to Salesforce, either via the user interface, the API, or a desktop client such as Connect for Outlook, Salesforce for Outlook, Connect Offline, Connect for Office, Connect for Lotus Notes, or the Data Loader, Salesforce confirms that the login is authorized as follows:
Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied.
If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a time-based token (which the user may also be prompted to create if it hasn’t already been added to the account) upon logging in.
If the user has the “Two-Factor Authentication for API Logins” permission and a time-based token has been added to the account, Salesforce returns an error if a time-based token is not used to access the service in place of the standard security token.
Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed.
If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from an IP address they have not used to access Salesforce before:
If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce, and has not cleared the browser cookies.
If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
If the user’s login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is blocked.
Whenever a login is blocked or returns an API login fault, Salesforce must verify the user’s identity:
If a new browser requires new activation, would cookies not be BROWSER DEPENDENT? Browser independent cookie imply that once a cookie is placed in one browser, you can log in from any browser without re-activation.
Pl. clarify.
Regards,
Munira
Ok… My bad. I checked this issue on the Success Community. The following question is similar to the one asked by Siva. Here is the response I got from Gabriel Nitu (Salesforce).
Orginial Question:
IP Range QuestionIf I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?
I can login by activating my computer
I can login without activating my computer
I can’t login at all
I can login with a security token
Based on my knowlege, the Correct Answer would be the Second one:
I can login without activating my computer
Reaons for my answer:
If I am login in from an IP Range that is already on my Profile range, I do not need computer activation (i.e., no verification code needed).
@gabriel Nitu – Am I correct?
Regards,
Munira
Response from Gabriel Nitu:
If I try to login from an IP that’s in my profile range but outside my default org wide range what will happen?
I can login by activating my computer
I can login without activating my computer ( an user will never be challenge with the 5 digit verificatio code )
I can’t login at all
I can login with a security token
=====================
Are salesforce cookies browser dependent or independent?
For instance, on the first attempt, I login into salesforce using IE. So, a cookies is placed in my browser.
Next day, I login in again; however, this time, I login from Chrome. Will a new cookie be placed for Chrome?
Is a cookie tied to a browser? So, everytime if I use a new browser, a new cookies is placed?
Next day you will be challenged with the verification code only if the IP address is different than the previous one.
If the IP address is the same, the login will be successful.
The IE cookies are independent from other browser cookies.
Looks good, nice find!