New Security Measures with Salesforce – Upcoming Changes to Identity Confirmation via SMS
Salesforce.com has announced its latest security enhancement with SMS Identity Confirmation. This update will provide the highest level of security for the Salesforce service and help customers strengthen security in their own environments. Starting April 2nd, 2013 Salesforce began rolling out a two-phased verification process that uses SMS text messages to confirm a User’s identity when they log in for the first time from an unknown ‘device’ such as their home computer, an iPhone or iPad and/or a new IP address.
Salesforce.com will replace email Identity Confirmation with SMS Identity Confirmation for all verified mobile users. This further safeguards customers by adding an extra layer of protection when verifying login from an unknown source. Once the change is activated, verified mobile users will only receive SMS Identity Confirmation. Users without mobile phones will still have the option to use email identity confirmation. This new functionality will eventually be automatically enabled, but for now, customers can choose to turn it on using the “Critical Updates” panel in Salesforce. After this change is activated users may see a prompt to submit a mobile number on their next login (if one is not already saved to their User profile).
This technology is already used successfully in banking organisations and prevents access to Salesforce from unauthorised devices unless the User account also has control of the related mobile phone. Accordingly, there is less potential for a third party to compromise multiple user devices simultaneously. Up until now, email has been used to validate access to new devices, but shortly the default setting for validation will be via SMS confirmation.
If there is a good business reason why this security solution is unworkable within your organisation, Email Identity confirmation will be able to be re-enabled by your System Administrator.
SalesFix can help you with any configuration requirements, but here are some handy tips from Salesforce.com for System Administrators to prepare for this change:
Q: What is Identity Confirmation?
A: Identity confirmation is a salesforce.com security feature enforced when the system recognizes that an unauthorized source (i.e. new IP address) is trying to access an account. SMS Identity Confirmation challenges users to confirm their identity through a verification code sent via SMS. Salesforce currently offers both email and SMS-based identity confirmation, however, SMS adds an extra layer of protection in case email credentials are compromised.
Q: What will change for my users once this is activated?
A: After this change is activated, users who do not have a verified mobile number will see a prompt to submit a mobile number on their next login. Users who already have a verified mobile number will only notice a change the next time they to attempt to access Salesforce from a new device or IP address. All users that have verified mobile numbers will no longer see email verification as an option when challenged.
Q: What is a verified mobile number vs. an unverified mobile number?
A: If a Salesforce user has a valid, properly formatted mobile number populated in their user details page, their number is considered verified. If a Salesforce user does not have a mobile number in their user details page, they are not verified and will be prompted to submit their mobile number on their first login.
Q: What if I don’t want my users to decline when prompted to enter in a verified mobile number?
A: For Enterprise and Unlimited edition licenses, you can perform a mass upload of properly formatted numbers or proactively enter mobile phone numbers in the User Details page. This will ensure your unverified mobile users are not prompted to enter a mobile number on their first login after the change is enabled.
Q: What if I want my users to have SMS and email identification verification options?
A: As an administrator, you can re-enable email identity confirmation by assigning new user permission called “Allow email-based Identity Confirmation” to a profile or as a permission set to an individual user. Only system administrators can set this option – not end users
Q: Can I re-enable email identity confirmation?
A: You can re-enable the “Allow email-based Identity Confirmation” permission to a profile or add it to a permission set and assign that permission set to a user.
Q: What happens if a user loses their phone?
A: If a user loses their phone, you can enable the “Allow email-based Identity Confirmation” permission to their profile or add it to a permission set and assign that permission set to a user. Keep in mind this is only applicable to users with verified mobile phone numbers. Users without verified mobile phone numbers will still receive identity confirmation challenge codes via email.
Q: What if all my users do not have mobile phones?
A: When users are prompted to verify their phone number on login, they have the option to decline and continue to use email verification.
Q: What does a properly formatted number mean?
A properly formatted number includes +[country code] [valid phone number]. For example, an Australia mobile number would be formatted as “+61409555234” – No dashes or parentheses are necessary.
REMEMBER: Salesforce’s Identify Confirmation feature does not require that you obtain a Verification Code every time you log in – only when you log in from an unknown device, such as a new computer, your iPad or iPhone.
SalesFix is standing by to help you make this transition and to answer any questions you may have.