SMS Identity Confirmation Enablement Plan for System Administrators February 2013
Key Summary Salesforce.com constantly innovates to ensure our service is as secure as possible, and we re dedicated to helping our customers be more secure in their own environments. Today, one of the security features available for our customers is identity confirmation to validate users logging in from an unverified source. Salesforce offers both email and SMS-based identity confirmation. SMS adds an extra layer of protection in case email credentials are compromised. SMS will become the default identity confirmation feature for all verified mobile users 30 days from a Critical Update Console (CRUC) posting. System administrators can re-enable email identity confirmation for verified mobile users at the profile or permission set level.
What is identity confirmation? Identity confirmation is a salesforce.com administered security feature enforced when the system recognizes that an unauthorized source (i.e. new IP address) is trying to access an account. Users are given an identity confirmation challenge to retrieve a verification code before they can log into their account. Salesforce uses several methods to verify an authorized source: Cookie that is cycled on each login Org-approved networks IP-restricted profiles User-verified IP address
What is SMS identity confirmation and why is it recommended as a default? SMS identity confirmation challenges users to confirm their identity through a verification code sent via SMS vs. email. SMS adds a layer of protection, as there is less potential for a third party to compromise multiple user devices simultaneously. For example: Sam the Salesforce User Unauthorized Party 1 Sam s email credentials are compromised. 2 The unauthorized party tries to use Sam s email and password to access his Salesforce account, but the system recognized that Sam s account is being accessed by an unverified source. 3 SMS identity confirmation requires a verification code be sent to Sam s mobile device before logging in. 4 Unauthorized party doesn t have Sam s phone and therefore Sam s Salesforce data is secure!
What happens to email identity confirmation? For customers with verified phone numbers, SMS will be enabled as the default option and email will be automatically turned off based on the auto-activation date posted in CRUC. For customers without verified phone numbers, they will be prompted to enter in a mobile number on login. System Administrators have the option to re-enable email and may choose to do so if all their users do not have mobile devices. Today: Email and SMS is offered based on preferences After CRUC: SMS only unless email is re-enabled
Verified vs. Unverified Mobile Number A verified mobile number means that the mobile field is populated in the User detail screen. +1 4155551234 An unverified mobile number means that the mobile field is not populated in the User detail screen. +1 4155551212
What is the process to verify a mobile number? Login page admin@orgname.com Prompted to submit a mobile number +1 4155551234 User s mobile number is populated in details page
What will an identity confirmation challenge look like for verified mobile users once the feature is activated? Login page admin@orgname.com User will only see SMS as an option for identity confirmation. User receives a verification code via text (SMS). user@org.com User must enter in the verification code before accessing their account.
What if my user does not have a mobile number? Login page admin@orgname.com User elects not to enter in a mobile number. User will continue to see email identity confirmation
Top 3 FAQs 1. Can I activate the CRUC before the auto-activation date? Yes and we encourage you to do so. Click the Activate button in the CRUC which will activate SMS identity confirmation as the default and turn off email identity confirmation. 2. What if I want my users to have both email and SMS-based identity confirmation? As a system administrator, you can select Allow email-based identity confirmation at the permission set or profile level to allow both email and SMS identity confirmation options. 3. I have a Professional Edition license. Am I able to re-enable the email identity confirmation for verified mobile users? You can contact support to turn off Force SMS-based identity confirmation for your org.
Resources *FAQs: https://help.salesforce.com/apex/htviewsolution?urlname=sms- Based-Identity-Confirmation&language=en_US Contact Support: User Name 1 Visit the Help & Training Portal 2 Click on Contact Support *Available in English only at this time.
Back to key summary What is CRUC? CRUC stands for the Critical Update Console and is found on the setup page. CRUC is used to message and at times enable or disable important updates for our customers. Sue the Salesforce User