Salesforce Developer Security Identity Confirmation
// Salesforce - Developer - Security - Identity Confirmation: Identity confirmation is used to verify the identities of users coming from unknown devices, and adds an extra layer of security on top of the authentication and single-sign-on features. When a user comes from an unknown device with a new IP address, the user is challenged to provide an identity confirmation code delivered via email, SMS, or a mobile authenticator app. Once the user completes the identity confirmation challenge, the device (and client browser) is considered activated. For administrators, this feature provides information about all the activated device IP addresses and client browser information for all users in their organization. Administrators can revoke the activation status for one, many, or all users and can filter on specific criteria, such as username or login IP to determine which activated devices to revoke. A user can tell their organization administrator that their device has been lost, but they’ve been issued a new device and still need access to the organization. The organization administrator can revoke the lost device and client browser activation status, effectively removing the IP address and IC browser information from the database. Anyone attempting to access the organization from that revoked device will be challenged for identity confirmation, adding a needed layer of security, while making sure users stay productive. For users, this feature gives information about their activated device IP addresses and client browser information. Each user can revoke the activation status for any of their IP addresses, but not for any other user. Example: A user logs into their organization and looks at their activated devices on the Activations page, and notices that there are several devices activated. The user has only ever been logged in from their work laptop and doesn’t recognize the IP addresses, so they immediately revoke the activation status of those devices. Since the user is challenged for identity confirmation using SMS to their mobile device, anyone trying to log into the organization from one of those unknown devices will fail the identity confirmation challenge. The user can then report the potential security breach.
page revision: 0, last edited: 02 Jan 2017 00:18